From 7da67ce9370768939956001c728d80a67bef9ce0 Mon Sep 17 00:00:00 2001
From: Martin Ohmann <martin.ohmann@bonial.com>
Date: Tue, 23 Jan 2024 12:00:53 +0100
Subject: [PATCH] fix(auth): use default scope `account` for Bitbucket auth

Fixes https://github.com/backstage/backstage/issues/22383

The scope `team` does not exist, a list of valid OAuth2 scopes can be
found here:

- https://developer.atlassian.com/cloud/bitbucket/rest/intro/#bitbucket-oauth-2-0-scopes

The `passport-bitbucket-oauth2` package implementing OAuth2 for
Bitbucket under the hood uses the `/2.0/user` API to retrieve the user
information, which requires the `account` scope:

- https://developer.atlassian.com/cloud/bitbucket/rest/api-group-users/#api-user-get
- https://github.com/bithound/passport-bitbucket-oauth2/blob/master/lib/passport-bitbucket/strategy.js#L60

Signed-off-by: Martin Ohmann <martin.ohmann@bonial.com>
---
 .changeset/shaggy-windows-cross.md                         | 7 +++++++
 packages/app-defaults/src/defaults/apis.ts                 | 2 +-
 .../apis/implementations/auth/bitbucket/BitbucketAuth.ts   | 2 +-
 packages/test-utils/src/testUtils/defaultApis.ts           | 2 +-
 4 files changed, 10 insertions(+), 3 deletions(-)
 create mode 100644 .changeset/shaggy-windows-cross.md

diff --git a/.changeset/shaggy-windows-cross.md b/.changeset/shaggy-windows-cross.md
new file mode 100644
index 0000000000..185c6d59ef
--- /dev/null
+++ b/.changeset/shaggy-windows-cross.md
@@ -0,0 +1,7 @@
+---
+'@backstage/app-defaults': patch
+'@backstage/core-app-api': patch
+'@backstage/test-utils': patch
+---
+
+Change `defaultScopes` for Bitbucket auth from invalid `team` to `account`.
diff --git a/packages/app-defaults/src/defaults/apis.ts b/packages/app-defaults/src/defaults/apis.ts
index 3a552c25c7..848d204670 100644
--- a/packages/app-defaults/src/defaults/apis.ts
+++ b/packages/app-defaults/src/defaults/apis.ts
@@ -224,7 +224,7 @@ export const apis = [
         configApi,
         discoveryApi,
         oauthRequestApi,
-        defaultScopes: ['team'],
+        defaultScopes: ['account'],
         environment: configApi.getOptionalString('auth.environment'),
       }),
   }),
diff --git a/packages/core-app-api/src/apis/implementations/auth/bitbucket/BitbucketAuth.ts b/packages/core-app-api/src/apis/implementations/auth/bitbucket/BitbucketAuth.ts
index 7a9f1bc094..2695b54c30 100644
--- a/packages/core-app-api/src/apis/implementations/auth/bitbucket/BitbucketAuth.ts
+++ b/packages/core-app-api/src/apis/implementations/auth/bitbucket/BitbucketAuth.ts
@@ -52,7 +52,7 @@ export default class BitbucketAuth {
       environment = 'development',
       provider = DEFAULT_PROVIDER,
       oauthRequestApi,
-      defaultScopes = ['team'],
+      defaultScopes = ['account'],
     } = options;
 
     return OAuth2.create({
diff --git a/packages/test-utils/src/testUtils/defaultApis.ts b/packages/test-utils/src/testUtils/defaultApis.ts
index 2231d28cd0..738aa0f47b 100644
--- a/packages/test-utils/src/testUtils/defaultApis.ts
+++ b/packages/test-utils/src/testUtils/defaultApis.ts
@@ -183,7 +183,7 @@ export const defaultApis = [
         configApi,
         discoveryApi,
         oauthRequestApi,
-        defaultScopes: ['team'],
+        defaultScopes: ['account'],
         environment: configApi.getOptionalString('auth.environment'),
       }),
   }),