Versions after 2.8.0 fail when accessing a private Bitbucket Repository via an OAuth consumer for the first time. #12441
Description
My composer.json:
{
"name": "laravel/laravel",
"type": "project",
"description": "The Laravel Framework.",
"keywords": ["framework", "laravel"],
"license": "MIT",
"require": {
"php": "~8.1.0",
"clystnet/vtiger": "6.1.0",
"clystnet/vtiger_client_login": "^5.0",
"guzzlehttp/guzzle": "^7.2",
"laravel-notification-channels/webpush": "^7.1",
"laravel/framework": "^10.0",
"laravel/horizon": "^5.15",
"laravel/sanctum": "^3.2",
"laravel/tinker": "^2.8",
"livewire/livewire": "^2.12",
"silviolleite/laravelpwa": "^2.0"
},
"require-dev": {
"fakerphp/faker": "^1.9.1",
"laravel/pint": "^1.0",
"laravel/sail": "^1.31",
"mockery/mockery": "^1.4.4",
"nunomaduro/collision": "^7.0",
"phpunit/phpunit": "^10.0",
"spatie/laravel-ignition": "^2.0"
},
"autoload": {
"psr-4": {
"App\\": "app/",
"Database\\Factories\\": "database/factories/",
"Database\\Seeders\\": "database/seeders/"
}
},
"autoload-dev": {
"psr-4": {
"Tests\\": "tests/"
}
},
"scripts": {
"post-autoload-dump": [
"Illuminate\\Foundation\\ComposerScripts::postAutoloadDump",
"@php artisan package:discover --ansi"
],
"post-root-package-install": [
"@php -r \"file_exists('.env') || copy('.env.example', '.env');\""
],
"post-create-project-cmd": [
"@php artisan key:generate --ansi"
],
"post-update-cmd": [
"@php artisan vendor:publish --tag=laravel-assets --ansi --force"
]
},
"extra": {
"laravel": {
"dont-discover": []
}
},
"config": {
"optimize-autoloader": true,
"preferred-install": "dist",
"sort-packages": true,
"allow-plugins": {
"pestphp/pest-plugin": true,
"php-http/discovery": true
},
"bitbucket-oauth": {
}
},
"minimum-stability": "dev",
"prefer-stable": true,
"repositories": [
{
"type": "git",
"url": "https://my-bitbucket-repo"
},
{
"type": "git",
"url": "https://my-bitbucket-repo"
}
]
}Output of composer diagnose:
hecking composer.lock: OK
Checking platform settings: OK
Checking git settings: OK git version 2.43.5
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com rate limit: OK
Checking disk free space: OK
Checking pubkeys:
Tags Public Key Fingerprint: <fingerprint>
Dev Public Key Fingerprint: <fingerprint>
OK
Checking Composer version: You are not running the latest stable version, run `composer self-update` to update (2.8.0 => 2.8.9)
Checking Composer and its dependencies for vulnerabilities: FAIL
Audit found some issues:
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package | symfony/process |
| Severity | high |
| CVE | CVE-2024-51736 |
| Title | CVE-2024-51736: Command execution hijack on Windows with Process class |
| URL | https://symfony.com/cve-2024-51736 |
| Affected versions | >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2 |
| | .0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,< |
| | 6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7 |
| Reported at | 2024-11-05T08:00:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
Composer version: 2.8.0
PHP version: 8.1.32
PHP binary path: /opt/remi/php81/root/usr/bin/php
OpenSSL version: OpenSSL 1.1.1k FIPS 25 Mar 2021
curl version: 7.61.1 libz 1.2.11 ssl OpenSSL/1.1.1k
zip: extension present, unzip not available, 7-Zip not availabl
When I run this command:
composer install
I get the following output:
- Syncing <private-repo-package> into cache
Enter your Bitbucket credentials to access private repos
follow the instructions here:
https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud/
to create a consumer. It will be stored in "/root/.config/composer/auth.json" for future use by Composer.
Ensure you enter a "Callback URL" or it will not be possible to create an Access Token (this callback url will not be used by composer)
Consumer Key (hidden):
Consumer Secret (hidden):
Invalid OAuth consumer provided
This can have three reasons:
---
And I expected this to happen:
I expected to have the repository pulled down correctly. However, even though these credentials have worked across hundreds of projects for 5+ years - they did not work correctly. I have found that downgrading to Composer version 2.7.7 and running the same command - everything works as intended but having tested this on Versions (2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7 and 2.8.8) this does not work.