Reduce required Bitbucket scopes (#20195)

components/public-api/typescript-common/src/auth-providers.ts

@@ -37,7 +37,7 @@ export namespace GitHubScope {
 export namespace BitbucketOAuthScopes {
     // https://confluence.atlassian.com/bitbucket/oauth-on-bitbucket-cloud-238027431.html
 
-    /** Read user info like name, e-mail adresses etc. */
+    /** Read user info like name, e-mail addresses etc. */
     export const ACCOUNT_READ = "account";
     /** Access repo info, clone repo over https, read and write issues */
     export const REPOSITORY_READ = "repository";
@@ -47,16 +47,13 @@ export namespace BitbucketOAuthScopes {
     export const PULL_REQUEST_READ = "pullrequest";
     /** Create, comment and merge pull requests */
     export const PULL_REQUEST_WRITE = "pullrequest:write";
-    /** Create, list web hooks */
-    export const WEBHOOK = "webhook";
 
     export const ALL = [
         ACCOUNT_READ,
         REPOSITORY_READ,
         REPOSITORY_WRITE,
         PULL_REQUEST_READ,
         PULL_REQUEST_WRITE,
-        WEBHOOK,
     ];
 
     export const DEFAULT = ALL;

components/server/src/bitbucket-server/bitbucket-server-auth-provider.ts

@@ -63,7 +63,7 @@ export class BitbucketServerAuthProvider extends GenericAuthProvider {
         try {
             const username = await this.api.currentUsername(accessToken);
             const userProfile = await this.api.getUserProfile(accessToken, username);
-            const avatarUrl = await this.api.getAvatarUrl(username);
+            const avatarUrl = this.api.getAvatarUrl(username);
             return <AuthUserSetup>{
                 authUser: {
                     // e.g. 105
@@ -74,7 +74,7 @@ export class BitbucketServerAuthProvider extends GenericAuthProvider {
                     name: userProfile.displayName!,
                     avatarUrl,
                 },
-                currentScopes: BitbucketServerOAuthScopes.ALL,
+                currentScopes: BitbucketServerOAuthScopes.Requirements.DEFAULT,
             };
         } catch (error) {
             log.error(`(${this.strategyName}) Reading current user info failed`, error, { error });

components/server/src/bitbucket-server/bitbucket-server-oauth-scopes.ts

@@ -23,6 +23,6 @@ export namespace BitbucketServerOAuthScopes {
         /**
          * Minimal required permission.
          */
-        DEFAULT: ALL,
+        DEFAULT: [PUBLIC_REPOS, REPO_READ, REPO_WRITE],
     };
 }

components/server/src/bitbucket/bitbucket-oauth-scopes.ts

@@ -7,7 +7,7 @@
 // https://confluence.atlassian.com/bitbucket/oauth-on-bitbucket-cloud-238027431.html
 
 export namespace BitbucketOAuthScopes {
-    /** Read user info like name, e-mail adresses etc. */
+    /** Read user info like name, e-mail addresses etc. */
     export const ACCOUNT_READ = "account";
     /** Access repo info, clone repo over https, read and write issues */
     export const REPOSITORY_READ = "repository";
@@ -17,17 +17,8 @@ export namespace BitbucketOAuthScopes {
     export const PULL_REQUEST_READ = "pullrequest";
     /** Create, comment and merge pull requests */
     export const PULL_REQUEST_WRITE = "pullrequest:write";
-    /** Create, list web hooks */
-    export const WEBHOOK = "webhook";
 
-    export const ALL = [
-        ACCOUNT_READ,
-        REPOSITORY_READ,
-        REPOSITORY_WRITE,
-        PULL_REQUEST_READ,
-        PULL_REQUEST_WRITE,
-        WEBHOOK,
-    ];
+    export const ALL = [ACCOUNT_READ, REPOSITORY_READ, REPOSITORY_WRITE, PULL_REQUEST_READ, PULL_REQUEST_WRITE];
 
     export const Requirements = {
         /**

components/server/src/user/token-service.ts

@@ -95,7 +95,7 @@ export class TokenService implements TokenProvider {
                         const doOpportunisticRefresh =
                             !!authProvider.requiresOpportunisticRefresh && authProvider.requiresOpportunisticRefresh();
                         if (!doOpportunisticRefresh) {
-                            // No opportunistic refresh? Update reserveation and we are done.
+                            // No opportunistic refresh? Update reservation and we are done.
                             await updateReservation(tokenEntry.uid, token, requestedLifetimeDate);
                             reportScmTokenRefreshRequest(host, opportunisticRefresh, "still_valid");
                             return token;