Versions after 2.8.0 fail when accessing a private Bitbucket Repository via an OAuth consumer for the first time.
ScottJohansenAuthor
My composer.json:
{ "name": "laravel/laravel", "type": "project", "description": "The Laravel Framework.", "keywords": ["framework", "laravel"], "license": "MIT", "require": { "php": "~8.1.0", "clystnet/vtiger": "6.1.0", "clystnet/vtiger_client_login": "^5.0", "guzzlehttp/guzzle": "^7.2", "laravel-notification-channels/webpush": "^7.1", "laravel/framework": "^10.0", "laravel/horizon": "^5.15", "laravel/sanctum": "^3.2", "laravel/tinker": "^2.8", "livewire/livewire": "^2.12", "silviolleite/laravelpwa": "^2.0" }, "require-dev": { "fakerphp/faker": "^1.9.1", "laravel/pint": "^1.0", "laravel/sail": "^1.31", "mockery/mockery": "^1.4.4", "nunomaduro/collision": "^7.0", "phpunit/phpunit": "^10.0", "spatie/laravel-ignition": "^2.0" }, "autoload": { "psr-4": { "App\\": "app/", "Database\\Factories\\": "database/factories/", "Database\\Seeders\\": "database/seeders/" } }, "autoload-dev": { "psr-4": { "Tests\\": "tests/" } }, "scripts": { "post-autoload-dump": [ "Illuminate\\Foundation\\ComposerScripts::postAutoloadDump", "@php artisan package:discover --ansi" ], "post-root-package-install": [ "@php -r \"file_exists('.env') || copy('.env.example', '.env');\"" ], "post-create-project-cmd": [ "@php artisan key:generate --ansi" ], "post-update-cmd": [ "@php artisan vendor:publish --tag=laravel-assets --ansi --force" ] }, "extra": { "laravel": { "dont-discover": [] } }, "config": { "optimize-autoloader": true, "preferred-install": "dist", "sort-packages": true, "allow-plugins": { "pestphp/pest-plugin": true, "php-http/discovery": true }, "bitbucket-oauth": { } }, "minimum-stability": "dev", "prefer-stable": true, "repositories": [ { "type": "git", "url": "https://my-bitbucket-repo" }, { "type": "git", "url": "https://my-bitbucket-repo" } ] }
Output of composer diagnose:
hecking composer.lock: OK Checking platform settings: OK Checking git settings: OK git version 2.43.5 Checking http connectivity to packagist: OK Checking https connectivity to packagist: OK Checking github.com rate limit: OK Checking disk free space: OK Checking pubkeys: Tags Public Key Fingerprint: <fingerprint> Dev Public Key Fingerprint: <fingerprint> OK Checking Composer version: You are not running the latest stable version, run `composer self-update` to update (2.8.0 => 2.8.9) Checking Composer and its dependencies for vulnerabilities: FAIL Audit found some issues: Found 1 security vulnerability advisory affecting 1 package: +-------------------+----------------------------------------------------------------------------------+ | Package | symfony/process | | Severity | high | | CVE | CVE-2024-51736 | | Title | CVE-2024-51736: Command execution hijack on Windows with Process class | | URL | https://symfony.com/cve-2024-51736 | | Affected versions | >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2 | | | .0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,< | | | 6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7 | | Reported at | 2024-11-05T08:00:00+00:00 | +-------------------+----------------------------------------------------------------------------------+ Composer version: 2.8.0 PHP version: 8.1.32 PHP binary path: /opt/remi/php81/root/usr/bin/php OpenSSL version: OpenSSL 1.1.1k FIPS 25 Mar 2021 curl version: 7.61.1 libz 1.2.11 ssl OpenSSL/1.1.1k zip: extension present, unzip not available, 7-Zip not availabl
When I run this command:
composer install
I get the following output:
- Syncing <private-repo-package> into cache Enter your Bitbucket credentials to access private repos follow the instructions here: https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud/ to create a consumer. It will be stored in "/root/.config/composer/auth.json" for future use by Composer. Ensure you enter a "Callback URL" or it will not be possible to create an Access Token (this callback url will not be used by composer) Consumer Key (hidden): Consumer Secret (hidden): Invalid OAuth consumer provided This can have three reasons: ---
And I expected this to happen:
I expected to have the repository pulled down correctly. However, even though these credentials have worked across hundreds of projects for 5+ years - they did not work correctly. I have found that downgrading to Composer version 2.7.7 and running the same command - everything works as intended but having tested this on Versions (2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7 and 2.8.8) this does not work.
Versions after 2.8.0 fail when accessing a private Bitbucket Repository via an OAuth consumer for the first time.
ScottJohansenAuthor
My composer.json:
{ "name": "laravel/laravel", "type": "project", "description": "The Laravel Framework.", "keywords": ["framework", "laravel"], "license": "MIT", "require": { "php": "~8.1.0", "clystnet/vtiger": "6.1.0", "clystnet/vtiger_client_login": "^5.0", "guzzlehttp/guzzle": "^7.2", "laravel-notification-channels/webpush": "^7.1", "laravel/framework": "^10.0", "laravel/horizon": "^5.15", "laravel/sanctum": "^3.2", "laravel/tinker": "^2.8", "livewire/livewire": "^2.12", "silviolleite/laravelpwa": "^2.0" }, "require-dev": { "fakerphp/faker": "^1.9.1", "laravel/pint": "^1.0", "laravel/sail": "^1.31", "mockery/mockery": "^1.4.4", "nunomaduro/collision": "^7.0", "phpunit/phpunit": "^10.0", "spatie/laravel-ignition": "^2.0" }, "autoload": { "psr-4": { "App\\": "app/", "Database\\Factories\\": "database/factories/", "Database\\Seeders\\": "database/seeders/" } }, "autoload-dev": { "psr-4": { "Tests\\": "tests/" } }, "scripts": { "post-autoload-dump": [ "Illuminate\\Foundation\\ComposerScripts::postAutoloadDump", "@php artisan package:discover --ansi" ], "post-root-package-install": [ "@php -r \"file_exists('.env') || copy('.env.example', '.env');\"" ], "post-create-project-cmd": [ "@php artisan key:generate --ansi" ], "post-update-cmd": [ "@php artisan vendor:publish --tag=laravel-assets --ansi --force" ] }, "extra": { "laravel": { "dont-discover": [] } }, "config": { "optimize-autoloader": true, "preferred-install": "dist", "sort-packages": true, "allow-plugins": { "pestphp/pest-plugin": true, "php-http/discovery": true }, "bitbucket-oauth": { } }, "minimum-stability": "dev", "prefer-stable": true, "repositories": [ { "type": "git", "url": "https://my-bitbucket-repo" }, { "type": "git", "url": "https://my-bitbucket-repo" } ] }
Output of composer diagnose:
hecking composer.lock: OK Checking platform settings: OK Checking git settings: OK git version 2.43.5 Checking http connectivity to packagist: OK Checking https connectivity to packagist: OK Checking github.com rate limit: OK Checking disk free space: OK Checking pubkeys: Tags Public Key Fingerprint: <fingerprint> Dev Public Key Fingerprint: <fingerprint> OK Checking Composer version: You are not running the latest stable version, run `composer self-update` to update (2.8.0 => 2.8.9) Checking Composer and its dependencies for vulnerabilities: FAIL Audit found some issues: Found 1 security vulnerability advisory affecting 1 package: +-------------------+----------------------------------------------------------------------------------+ | Package | symfony/process | | Severity | high | | CVE | CVE-2024-51736 | | Title | CVE-2024-51736: Command execution hijack on Windows with Process class | | URL | https://symfony.com/cve-2024-51736 | | Affected versions | >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2 | | | .0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,< | | | 6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7 | | Reported at | 2024-11-05T08:00:00+00:00 | +-------------------+----------------------------------------------------------------------------------+ Composer version: 2.8.0 PHP version: 8.1.32 PHP binary path: /opt/remi/php81/root/usr/bin/php OpenSSL version: OpenSSL 1.1.1k FIPS 25 Mar 2021 curl version: 7.61.1 libz 1.2.11 ssl OpenSSL/1.1.1k zip: extension present, unzip not available, 7-Zip not availabl
When I run this command:
composer install
I get the following output:
- Syncing <private-repo-package> into cache Enter your Bitbucket credentials to access private repos follow the instructions here: https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud/ to create a consumer. It will be stored in "/root/.config/composer/auth.json" for future use by Composer. Ensure you enter a "Callback URL" or it will not be possible to create an Access Token (this callback url will not be used by composer) Consumer Key (hidden): Consumer Secret (hidden): Invalid OAuth consumer provided This can have three reasons: ---
And I expected this to happen:
I expected to have the repository pulled down correctly. However, even though these credentials have worked across hundreds of projects for 5+ years - they did not work correctly. I have found that downgrading to Composer version 2.7.7 and running the same command - everything works as intended but having tested this on Versions (2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7 and 2.8.8) this does not work.