node-bitbucket
node-bitbucket copied to clipboard
MunifTanjim
Feature/authentication strategies
Issue
Current bitbucket lib is not supporting authorization strategies for OAuth.
What I have done?
I have implemented main OAuth2 authorization methods to retrieve access_token.
It's a draft pull request for bitbucket authStrategies. Would be happy if someone will check or test it.
- [x] Authorization Code Grant
- [ ] Implicit Grant
- [x] Resource Owner Password Credentials Grant
- [x] Client Credentials Grant
- [x] Bitbucket Cloud JWT Grant (urn:bitbucket:oauth2:jwt)
https://developer.atlassian.com/bitbucket/api/2/reference/meta/authentication
Related issue #18
Hey @shtelzerartem , thanks for openning this draft.
I see there are many unrelated changes. It would make reviewing this so much harder. For example:
- gitignore
- updating package versions, changing build script, adding other scripts in package.json
- Changing names for types and variables.
Can you please remove those?
@MunifTanjim yes, for sure!
I still feel a bit frustrated about the structure of auth plugin and its flow.
That is why I have done a draft PR: just to describe the general idea of the organization of authentication strategies.
Also, there are some other things that are missing right now, for example, after hook to refresh access_token if it is expired.
I will probably clean the code soon, so you will be able to review it.
@MunifTanjim hey, I have tried to clear it as much as possible. There are structural changes, I merged together auth and authentication plugins into one monolith plugin for the first solution. I need your help with splitting them, as it was done in github's octokit.
It might be the case I'm implementing it wrong, but I'm getting an error when trying to test this.
What I've done so far:
- cloned @shtelzerartem repository & checked out to feature/authentication-strategies branch
- executed
yarn&yarn pack - created a test script and implementing the method in the following form:
import { Bitbucket } from './lib/index.js'
const doSomething = async () => {
const options = {
authStrategy: 'OAuth',
auth: {
grant_type: 'clientCredentialsGrant',
client_id: 'OAUTH_CONSUMER_CLIENTID',
client_secret: 'OAUTH_CONSUMER_SECRET'
}
}
try {
const bitbucket = new Bitbucket(options)
console.log(await bitbucket.auth())
const result = await bitbucket.user.get({})
console.log(result)
} catch (err) {
console.error(err)
}
}
doSomething()
This returns the following error:
TypeError: Cannot read property 'defaults' of undefined
at N (~/node-bitbucket/lib/index.js:1:12882)
at J (~/node-bitbucket/lib/index.js:1:13336)
at ~/node-bitbucket/lib/index.js:1:13675
at ~/node-bitbucket/lib/index.js:1:13605
at ~/node-bitbucket/lib/index.js:1:13641
at ~/node-bitbucket/lib/index.js:1:13511
at ~/node-bitbucket/lib/index.js:1:14210
at ~/node-bitbucket/lib/index.js:1:14078
at ~/node-bitbucket/lib/index.js:1:14112
at ~/node-bitbucket/lib/index.js:1:13984
If I change the auth method to use an AppPassword does return my account information accordingly.
Wonder if there's something wrong in the test script or I'm missing something right now. I guess the expected result is to start the authentication process. I wonder if there's any specific callback URL we should use like HTTPs://localhost:1234/oauth2 or whatsoever in the setup of the bitbucket OAuth consumer application.
Thanks and great job! I'm really keen to see this working and report any issues. (don't have the skill-set right now to contribute in the development side)
@Raspikabek hey, thanks for testing! Yep, there was a bug, that I have fixed in the latest commit. About implementation — everything is right.
About callbacks. Are you talking about Authorization Code Grant and Implicit grant authentication methods, where the user has to be redirected to bitbucket and then returned back with token params in the query? If yes, unfortunately, I haven't been working on this part.
@Raspikabek hey, thanks for testing! Yep, there was a bug, that I have fixed in the latest commit. About implementation — everything is right.
About callbacks. Are you talking about
Authorization Code GrantandImplicit grantauthentication methods, where the user has to be redirected to bitbucket and then returned back with token params in the query? If yes, unfortunately, I haven't been working on this part.
Nice! Now seems to be working! Thanks for the quick response.
Related to Implicit grant & Authorization Code Grant I guess that might require to implement and import an express application of some sort to include it in the package.
BTW Authorization Code Grant even though I've added a code, it does return an error:
error: {
error_description: 'Missing required field: code',
error: 'invalid_request'
},
Anyway... I guess the best approach to implement a secure login process using this library would be by using the JWT Auth and implementing the authorization process to get the JWT token from my own application (the one that requires this library) using something like this example provided by Atlassian
Again thanks a million for the hard work!
@Raspikabek thank you for another one bug! I will fix it soon.
About Implicit grant and Authorization Code Grant (all the https://bitbucket.org/site/oauth2/authorize requests). This library must not provide a way to resolve them, but just allow you to authenticate requests having responses from them.
Implicit grant
After redirect to your service you will be able to pull out from URL #access_token={token}&token_type=bearer access_token and him as option to Bitbucket Object.
new Bitbucket({
auth: {
type: 'token',
token: '<YOUR BEARER TOKEN>',
},
})
Authorization Code Grant
From https://bitbucket.org/site/oauth2/authorize?client_id={client_id}&response_type=code you will be redirected to URL with ?code={code}, which you will be able to use further.
new Bitbucket({
authStrategy: 'OAuth',
auth: {
grant_type: 'authorizationCodeGrant',
client_id: '<CLIENT ID>',
client_secret: '<CLIENT SECRET>',
code: '<CLIENT CODE>',
},
})
With JWT Auth I think, the same trick.
@MunifTanjim have you had a chance to go over, it looks, like everything we went over with @Raspikabek work fine.