gerrit-oauth-provider icon indicating copy to clipboard operation
gerrit-oauth-provider copied to clipboard

Published 20 hours ago verified publisher icon davido

Use BitBucket UUID instead of username

Open stephen-smith opened this issue 7 years ago • 3 comments

https://github.com/davido/gerrit-oauth-provider/blob/90b66bbf374fe4575b829eb41d940556060fda31/src/main/java/com/googlesource/gerrit/plugins/oauth/BitbucketOAuthService.java#L98

Grabs the "username" and "display_name" and might fix up the old numeric ids.

But, BitBucket allows users to change these fields, so UUIDs need to be used in prevent spoofing: https://confluence.atlassian.com/bitbucket/rest-apis-222724129.html#RESTAPIs-uuid-mainUniversallyUniqueIdentifier(UUID)

stephen-smith avatar Mar 03 '18 00:03 stephen-smith

If we will do that change, we would need some kind of data migration.

davido avatar Mar 03 '18 07:03 davido

Because we did not do this change, #120 and #127 are currently preventing some users from logging in.

stephen-smith avatar Jun 17 '19 20:06 stephen-smith

So yes, now the problem is even more serious, because we have to change first to API v2 to start getting the data again. We have this PR, that I closed without merging, because the canonical repository is googlesource.com.

davido avatar Jun 17 '19 20:06 davido