feat(bitbucket-server): Add bitbucket http access token support

[Gagarmel]

Changes

Add the possibility to use HTTP access tokens for authentication against Bitbucket Server. Personal access tokens as well as porject/repository scoped tokens will work. When setting a token Bearer Auth will be used instead of Basic Auth (Ref: Using HTTP access tokens

Context

fixes #14900

Documentation (please check one with an [x])

• I have updated the documentation, or
• No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

• Code inspection only, or
• Newly added/modified unit tests, or
• No unit tests but ran on a real repository, or
• Both unit tests + ran on a real repository

[rarkins]

Is there still a use case for keeping username+token or could it be deprecated in a future release and support token only?

[Churro]

Is there still a use case for keeping username+token or could it be deprecated in a future release and support token only?

At least from a performance perspective, with "token-only" in bitbucket-server, renovate fetches the entire list of PRs as it cannot filter by author.

It might make sense to try out if automerge works with token-only or, if not, highlight this in the docs. According to BB docs:

You can’t use a token to merge a pull request as the merge creates a commit (only users with a valid e-mail address can create a commit)

[rarkins]

Is there still a use case for keeping username+token or could it be deprecated in a future release and support token only?

At least from a performance perspective, with "token-only" in bitbucket-server, renovate fetches the entire list of PRs as it cannot filter by author.

In that case we should either:

• Use the token to access a "whoami" endpoint to find out our username, or
• Make username mandatory still

It might make sense to try out if automerge works with token-only or, if not, highlight this in the docs. According to BB docs:

You can’t use a token to merge a pull request as the merge creates a commit (only users with a valid e-mail address can create a commit)

Great catch!

[Gagarmel]

Is there still a use case for keeping username+token or could it be deprecated in a future release and support token only?

At least from a performance perspective, with "token-only" in bitbucket-server, renovate fetches the entire list of PRs as it cannot filter by author.

In that case we should either:

* Use the token to access a "whoami" endpoint to find out our username, or

* Make username mandatory still

This would make the whole PR obsolete. The problem is that you can create access tokens on project/repo level. Those tokens don't have a user.

It might make sense to try out if automerge works with token-only or, if not, highlight this in the docs. According to BB docs:

You can’t use a token to merge a pull request as the merge creates a commit (only users with a valid e-mail address can create a commit)

Great catch!

[rarkins]

Do tokens exist with or without username, or only without username?

[Gagarmel]

Do tokens exist with or without username, or only without username?

You can create user based access tokens and repository/project based tokens without user.
User based tokens can be used with Basic auth
curl -u username:MDM0MjM5NDc2MDxxxxxxxxxxxxxxxxxxxxx https://example.com/rest/api/latest/resource/path
or Bearer auth
curl -H 'Authorization: Bearer MDM0MjM5NDc2MDxxxxxxxxxxxxxxxxxxxxx' https://example.com/rest/api/latest/resource/path

Project/Repository tokens only work with Bearer since they don't have a user

[rarkins]

My question was a little ambiguous, so I need to ask a different way: Is it possible to combine tokens with username, or are they always without username?

[Gagarmel]

My question was a little ambiguous, so I need to ask a different way: Is it possible to combine tokens with username, or are they always without username?

• if you are using Basic Auth, the username must be set and correct
• if you are using Bearer Auth, you cannot provide a username

[rarkins]

We decide which auth to use, not the user. It's not answering my question

[Gagarmel]

Do tokens exist with or without username, or only without username?

There are tokens with and without usernames

My question was a little ambiguous, so I need to ask a different way: Is it possible to combine tokens with username, or are they always without username?

There are tokens with username and tokens without username

[renovate-release]

🎉 This PR is included in version 37.288.0 🎉

The release is available on:

• GitHub release
• npm package (@latest dist-tag)
• 37.288.0

Your semantic-release bot 📦🚀