The /repository/scan endpoint does not accept Personal Access Token (PAT) unless anonymous users are able to trigger specs detection

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: Low
    • 10.2.1
    • Affects Version/s: 9.6.0
    • Component/s: API, REST API
    • None
    • 1
    • Severity 3 - Minor

      Issue Summary

      The /api/latest/repository/scan API endpoint doesn't authenticate with Personal Access Tokens (PAT). While basic auth works, using a Personal Access token returns a 401.

      Steps to Reproduce

      1. Ensure that "Allow anonymous users to trigger remote repository change detection and Bamboo Specs detection" is disabled (it is by default) under Administration > Security settings
      2. Perform a POST endpoint call to "api/latest/repository/scan" passing the name of a repository to trigger a Specs scan. E.g., /repository/scan?name=myRepo, and using a Personal Access Token for authentication. 
        curl --request POST \
  --url 'https:myBamboo.com/rest/api/latest/repository/scan?name=myRepo' \
  --header 'Authorization: Bearer TOKEN_HERE'

      Expected Results

      The authentication using PAT works and a Specs Scan gets triggered for the repository (if applicable).

      Actual Results

      The endpoint call returns a 401:

      < HTTP/2 401 
...
{"message":"Anonymous user can't access this resource. If it should be available, modify anonymous user permissions at Administration > Security settings","status-code":401}%     

      Workaround

      Use the /rest/api/latest/repository/REPOSITORY_ID/scanNow endpoint instead. This does the same thing, with the exception that it triggers the specs scan at all times, while the other endpoint just triggers the scan if there are new commits to be scanned.

      /rest/api/latest/repository/REPOSITORY_ID/scanNow

      Please replace REPOSITORY_ID with the ID of the repository you want to trigger a specs scan for.

      Repository ID

      If you don't have the ID of the repositories to use in the endpoint above, you can get it by performing a GET request to the following endpoint, replacing NAME with a keyword from your repository name:

      /rest/api/latest/repository?searchTerm=NAME

      For example, ?searchTerm=specs would return repositories that contain "specs" in their name. The output would be similar to the following, where 851969 is the ID to be used for the specs scan trigger endpoint:

      [
  {
    "id": 851969,
    "name": "specs",
    "url": "https://myBamboo/admin/configureLinkedRepositories.action?repositoryId=851969",
    "rssEnabled": true
  }
]

      Specifying branches

      It's also possible to specify which branch from the repository should be scanned for specs. This can be done with the ?branch=NAME query filter. For example, the endpoint below would scan the "main" branch of the repository ID 851969 for specs:

      /rest/api/latest/repository/851969/scanNow?branch=main'

      Another option

      Another workaround is to enable "Allow anonymous users to trigger remote repository change detection and Bamboo Specs detection" under Bamboo Administration > Security settings so that anonymous users can trigger repository specs scan.

            Assignee:
            Mateusz Szmal
            Reporter:
            Eduardo Collaziol
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: