revert: Bitbucket OAuth 1.0 → 2.0 migration (PR #772)

Reverts all changes from the Bitbucket OAuth 2.0 migration in case
rollback is needed. Restores OAuth 1.0 signing and original token
refresh behavior.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: drazisil-codecov

apps/codecov-api/codecov_auth/tests/unit/views/test_bitbucket.py

@@ -8,16 +8,18 @@
 from codecov_auth.models import Owner
 from codecov_auth.views.bitbucket import BitbucketLoginView
 from shared.torngit.bitbucket import Bitbucket
-from shared.torngit.exceptions import (
-    TorngitClientGeneralError,
-)
+from shared.torngit.exceptions import TorngitServer5xxCodeError
+from utils.encryption import encryptor
 
 
 def test_get_bitbucket_redirect(client, settings, mocker):
-    mocked_generate = mocker.patch.object(
+    mocked_get = mocker.patch.object(
         Bitbucket,
-        "generate_redirect_url",
-        return_value="https://bitbucket.org/site/oauth2/authorize?client_id=testqmo19ebdkseoby&response_type=code&redirect_uri=http%3A%2F%2Flocalhost&state=teststate",
+        "generate_request_token",
+        return_value={
+            "oauth_token": "testy6r2of6ajkmrub",
+            "oauth_token_secret": "testzibw5q01scpl8qeeupzh8u9yu8hz",
+        },
     )
     settings.BITBUCKET_REDIRECT_URI = "http://localhost"
     settings.BITBUCKET_CLIENT_ID = "testqmo19ebdkseoby"
@@ -26,33 +28,30 @@ def test_get_bitbucket_redirect(client, settings, mocker):
     res = client.get(url, SERVER_NAME="localhost:8000")
     assert res.status_code == 302
 
-    assert "_bb_oauth_state" in res.cookies
-    cookie = res.cookies["_bb_oauth_state"]
+    assert "_oauth_request_token" in res.cookies
+    cookie = res.cookies["_oauth_request_token"]
     assert cookie.value
     assert cookie.get("domain") == settings.COOKIES_DOMAIN
-    assert cookie.get("secure")
-    assert cookie.get("samesite") == settings.COOKIE_SAME_SITE
-    assert cookie.get("max-age") == 300
-    assert mocked_generate.call_count == 1
-    # state kwarg was passed through
-    _, kwargs = mocked_generate.call_args
-    assert kwargs.get("state") is not None
+    assert (
+        res.url
+        == "https://bitbucket.org/api/1.0/oauth/authenticate?oauth_token=testy6r2of6ajkmrub"
+    )
+    mocked_get.assert_called_with(settings.BITBUCKET_REDIRECT_URI)
 
 
-def test_get_bitbucket_redirect_bitbucket_error(client, settings, mocker):
-    mocker.patch.object(
-        Bitbucket,
-        "generate_redirect_url",
-        side_effect=TorngitClientGeneralError(400, {}, "bad request"),
+def test_get_bitbucket_redirect_bitbucket_unavailable(client, settings, mocker):
+    mocked_get = mocker.patch.object(
+        Bitbucket, "generate_request_token", side_effect=TorngitServer5xxCodeError()
     )
     settings.BITBUCKET_REDIRECT_URI = "http://localhost"
     settings.BITBUCKET_CLIENT_ID = "testqmo19ebdkseoby"
     settings.BITBUCKET_CLIENT_SECRET = "testfi8hzehvz453qj8mhv21ca4rf83f"
     url = reverse("bitbucket-login")
     res = client.get(url, SERVER_NAME="localhost:8000")
     assert res.status_code == 302
-    assert "_bb_oauth_state" not in res.cookies
+    assert "_oauth_request_token" not in res.cookies
     assert res.url == url
+    mocked_get.assert_called_with(settings.BITBUCKET_REDIRECT_URI)
 
 
 async def fake_get_authenticated_user():
@@ -111,22 +110,23 @@ async def fake_list_teams():
         "generate_access_token",
         return_value={
             "key": "test6tl3evq7c8vuyn",
-            "secret": "testrefreshtoken",
+            "secret": "testdm61tppb5x0tam7nae3qajhcepzz",
         },
     )
     settings.BITBUCKET_REDIRECT_URI = "http://localhost"
     settings.BITBUCKET_CLIENT_ID = "testqmo19ebdkseoby"
     settings.BITBUCKET_CLIENT_SECRET = "testfi8hzehvz453qj8mhv21ca4rf83f"
     settings.CODECOV_DASHBOARD_URL = "dashboard.value"
     settings.COOKIE_SECRET = "aaaaa"
-
-    state = "test_state_value_abc123"
     url = reverse("bitbucket-login")
+    oauth_request_token = (
+        "dGVzdDZ0bDNldnE3Yzh2dXlu|dGVzdGRtNjF0cHBiNXgwdGFtN25hZTNxYWpoY2Vweno="
+    )
     client.cookies = SimpleCookie(
         {
-            "_bb_oauth_state": signing.get_cookie_signer(salt="_bb_oauth_state").sign(
-                state
-            )
+            "_oauth_request_token": signing.get_cookie_signer(
+                salt="_oauth_request_token"
+            ).sign(encryptor.encode(oauth_request_token).decode())
         }
     )
     mock_create_user_onboarding_metric = mocker.patch(
@@ -135,17 +135,17 @@ async def fake_list_teams():
 
     res = client.get(
         url,
-        {"code": "auth_code_from_bitbucket", "state": state},
+        {"oauth_verifier": 8519288973, "oauth_token": "test1daxl4jnhegoh4"},
         SERVER_NAME="localhost:8000",
     )
     assert res.status_code == 302
     assert res.url == "dashboard.value/bb"
-    assert "_bb_oauth_state" in res.cookies
-    cookie = res.cookies["_bb_oauth_state"]
+    assert "_oauth_request_token" in res.cookies
+    cookie = res.cookies["_oauth_request_token"]
     assert cookie.value == ""
     assert cookie.get("domain") == settings.COOKIES_DOMAIN
     mocked_get.assert_called_with(
-        "auth_code_from_bitbucket", settings.BITBUCKET_REDIRECT_URI
+        "test6tl3evq7c8vuyn", "testdm61tppb5x0tam7nae3qajhcepzz", "8519288973"
     )
     owner = Owner.objects.get(username="ThiagoCodecov", service="bitbucket")
     expected_call = call(
@@ -155,8 +155,13 @@ async def fake_list_teams():
     )
     assert mock_create_user_onboarding_metric.call_args_list == [expected_call]
 
+    assert (
+        encryptor.decode(owner.oauth_token)
+        == "test6tl3evq7c8vuyn:testdm61tppb5x0tam7nae3qajhcepzz"
+    )
 
-def test_get_bitbucket_already_token_no_state_cookie(
+
+def test_get_bitbucket_already_token_no_cookie(
     client, settings, mocker, db, mock_redis
 ):
     mocker.patch(
@@ -170,7 +175,7 @@ def test_get_bitbucket_already_token_no_state_cookie(
         "generate_access_token",
         return_value={
             "key": "test6tl3evq7c8vuyn",
-            "secret": "testrefreshtoken",
+            "secret": "testdm61tppb5x0tam7nae3qajhcepzz",
         },
     )
     settings.BITBUCKET_REDIRECT_URI = "http://localhost"
@@ -179,39 +184,7 @@ def test_get_bitbucket_already_token_no_state_cookie(
     url = reverse("bitbucket-login")
     res = client.get(
         url,
-        {"code": "auth_code_from_bitbucket", "state": "some_state"},
-        SERVER_NAME="localhost:8000",
-    )
-    assert res.status_code == 302
-    assert res.url == "/login/bitbucket"
-    assert not mocked_get.called
-
-
-def test_get_bitbucket_state_mismatch(client, settings, mocker, db, mock_redis):
-    mocked_get = mocker.patch.object(
-        Bitbucket,
-        "generate_access_token",
-        return_value={
-            "key": "test6tl3evq7c8vuyn",
-            "secret": "testrefreshtoken",
-        },
-    )
-    settings.BITBUCKET_REDIRECT_URI = "http://localhost"
-    settings.BITBUCKET_CLIENT_ID = "testqmo19ebdkseoby"
-    settings.BITBUCKET_CLIENT_SECRET = "testfi8hzehvz453qj8mhv21ca4rf83f"
-    settings.COOKIE_SECRET = "aaaaa"
-
-    url = reverse("bitbucket-login")
-    client.cookies = SimpleCookie(
-        {
-            "_bb_oauth_state": signing.get_cookie_signer(salt="_bb_oauth_state").sign(
-                "legit_state"
-            )
-        }
-    )
-    res = client.get(
-        url,
-        {"code": "auth_code_from_bitbucket", "state": "attacker_injected_state"},
+        {"oauth_verifier": 8519288973, "oauth_token": "test1daxl4jnhegoh4"},
         SERVER_NAME="localhost:8000",
     )
     assert res.status_code == 302

apps/codecov-api/codecov_auth/views/bitbucket.py

@@ -1,5 +1,6 @@
+import base64
 import logging
-import secrets
+from urllib.parse import urlencode
 
 from asgiref.sync import async_to_sync
 from django.conf import settings
@@ -12,10 +13,8 @@
     UserOnboardingMetricsService,
 )
 from shared.torngit import Bitbucket
-from shared.torngit.exceptions import (
-    TorngitClientGeneralError,
-    TorngitServerFailureError,
-)
+from shared.torngit.exceptions import TorngitServerFailureError
+from utils.encryption import encryptor
 
 log = logging.getLogger(__name__)
 
@@ -54,19 +53,23 @@ def redirect_to_bitbucket_step(self, request):
                 "secret": settings.BITBUCKET_CLIENT_SECRET,
             }
         )
-        state = secrets.token_urlsafe(32)
-        url_to_redirect = repo_service.generate_redirect_url(
-            settings.BITBUCKET_REDIRECT_URI, state=state
+        oauth_token_pair = repo_service.generate_request_token(
+            settings.BITBUCKET_REDIRECT_URI
         )
+        oauth_token = oauth_token_pair["oauth_token"]
+        oauth_token_secret = oauth_token_pair["oauth_token_secret"]
+        url_params = urlencode({"oauth_token": oauth_token})
+        url_to_redirect = f"{Bitbucket._OAUTH_AUTHORIZE_URL}?{url_params}"
         response = redirect(url_to_redirect)
+        data = (
+            base64.b64encode(oauth_token.encode())
+            + b"|"
+            + base64.b64encode(oauth_token_secret.encode())
+        ).decode()
         response.set_signed_cookie(
-            "_bb_oauth_state",
-            state,
+            "_oauth_request_token",
+            encryptor.encode(data).decode(),
             domain=settings.COOKIES_DOMAIN,
-            httponly=True,
-            secure=settings.SESSION_COOKIE_SECURE,
-            samesite=settings.COOKIE_SAME_SITE,
-            max_age=300,
         )
         self.store_to_cookie_utm_tags(response)
         return response
@@ -78,13 +81,19 @@ def actual_login_step(self, request):
                 "secret": settings.BITBUCKET_CLIENT_SECRET,
             }
         )
-        expected_state = request.get_signed_cookie("_bb_oauth_state", default=None)
-        if not expected_state or request.GET.get("state") != expected_state:
-            log.warning("Bitbucket OAuth state mismatch — possible CSRF attempt")
+        oauth_verifier = request.GET.get("oauth_verifier")
+        request_cookie = request.get_signed_cookie("_oauth_request_token", default=None)
+        if not request_cookie:
+            log.warning(
+                "Request arrived with proper url params but not the proper cookies"
+            )
             return redirect(reverse("bitbucket-login"))
-        code = request.GET.get("code")
+        request_cookie = encryptor.decode(request_cookie)
+        cookie_key, cookie_secret = [
+            base64.b64decode(i).decode() for i in request_cookie.split("|")
+        ]
         token = repo_service.generate_access_token(
-            code, settings.BITBUCKET_REDIRECT_URI
+            cookie_key, cookie_secret, oauth_verifier
         )
         user_dict = self.fetch_user_data(token)
         user = self.get_and_modify_owner(user_dict, request)
@@ -93,7 +102,7 @@ def actual_login_step(self, request):
             redirection_url, user
         )
         response = redirect(redirection_url)
-        response.delete_cookie("_bb_oauth_state", domain=settings.COOKIES_DOMAIN)
+        response.delete_cookie("_oauth_request_token", domain=settings.COOKIES_DOMAIN)
         self.login_owner(user, request, response)
         log.info("User successfully logged in", extra={"ownerid": user.ownerid})
         UserOnboardingMetricsService.create_user_onboarding_metric(
@@ -106,7 +115,7 @@ def get(self, request):
             return redirect(f"{settings.CODECOV_DASHBOARD_URL}/login")
 
         try:
-            if request.GET.get("code"):
+            if request.GET.get("oauth_verifier"):
                 log.info("Logging into bitbucket after authorization")
                 return self.actual_login_step(request)
             else:
@@ -115,6 +124,3 @@ def get(self, request):
         except TorngitServerFailureError:
             log.warning("Bitbucket not available for login")
             return redirect(reverse("bitbucket-login"))
-        except TorngitClientGeneralError:
-            log.warning("Bitbucket OAuth error during login")
-            return redirect(reverse("bitbucket-login"))

apps/codecov-api/services/repo_providers.py

@@ -42,7 +42,7 @@ def get_token_refresh_callback(
     """
     if owner is None:
         return None
-    if service == Service.BITBUCKET_SERVER:
+    if service == Service.BITBUCKET or service == Service.BITBUCKET_SERVER:
         return None
 
     @sync_to_async

apps/codecov-api/services/tests/test_repo_providers.py

@@ -111,6 +111,7 @@ def test__is_using_integration_ghapp_covers_some_repos(mock_get_config, db):
     "should_have_owner,service",
     [
         (False, Service.GITHUB.value),
+        (True, Service.BITBUCKET.value),
         (True, Service.BITBUCKET_SERVER.value),
     ],
 )
@@ -121,13 +122,6 @@ def test_token_refresh_callback_none_cases(should_have_owner, service, db):
     assert get_token_refresh_callback(owner, service) is None
 
 
-def test_token_refresh_callback_bitbucket(db):
-    owner = OwnerFactory(service=Service.BITBUCKET.value)
-    callback = get_token_refresh_callback(owner, Service.BITBUCKET)
-    assert callback is not None
-    assert inspect.iscoroutinefunction(callback)
-
-
 GITHUB_SENTRY_APP_ID = 4321
 
 

apps/worker/helpers/token_refresh.py

@@ -19,7 +19,7 @@ def get_token_refresh_callback(owner: Owner) -> Callable[[dict], None]:
         return None
 
     service = owner.service
-    if service == "bitbucket_server":
+    if service == "bitbucket" or service == "bitbucket_server":
         return None
 
     async def callback(new_token: dict) -> None:

apps/worker/services/tests/test_repository_service.py

@@ -224,7 +224,7 @@ def test_get_repo_provider_service_bitbucket(dbsession):
     }
     assert res.data == expected_data
     assert repo.author.service == "bitbucket"
-    assert res._on_token_refresh is not None
+    assert res._on_token_refresh is None
     assert res.token == {
         "username": repo.author.username,
         "key": "testyftq3ovzkb3zmt823u3t04lkrt9w",