From c03ef1d68f8737bd3f19e4528777844c246ffbcc Mon Sep 17 00:00:00 2001
From: Devan Patel <Dev25@users.noreply.github.com>
Date: Mon, 31 Oct 2022 21:48:07 +0000
Subject: [PATCH] Bitbucket Server: Send password as Bearer instead of Basic
 Auth (#2461)

* Bitbucket Server: Send password as Bearer instead of Basic Auth

Signed-off-by: Devan Patel <Dev25@users.noreply.github.com>

* docs: Add Bearer note for Bitbucket Server auth

Signed-off-by: Dev <Dev25@users.noreply.github.com>

Signed-off-by: Devan Patel <Dev25@users.noreply.github.com>
Signed-off-by: Dev <Dev25@users.noreply.github.com>
---
 runatlantis.io/docs/access-credentials.md   | 2 ++
 server/events/vcs/bitbucketserver/client.go | 6 +++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/runatlantis.io/docs/access-credentials.md b/runatlantis.io/docs/access-credentials.md
index b0947244e9..05d320b505 100644
--- a/runatlantis.io/docs/access-credentials.md
+++ b/runatlantis.io/docs/access-credentials.md
@@ -89,6 +89,8 @@ Since v0.19.7, a new permission for `Administration` has been added. If you have
 - Give the token **Read** Project permissions and **Write** Pull request permissions
 - Click **Create** and record the access token
 
+  NOTE: Atlantis will send the token as a [Bearer Auth to the Bitbucket API](https://confluence.atlassian.com/bitbucketserver/http-access-tokens-939515499.html#HTTPaccesstokens-UsingHTTPaccesstokens) instead of using Basic Auth.
+
 ### Azure DevOps
 - Create a Personal access token by following [https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops](https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops)
 - Label the password "atlantis"
diff --git a/server/events/vcs/bitbucketserver/client.go b/server/events/vcs/bitbucketserver/client.go
index 7449234187..88ba703272 100644
--- a/server/events/vcs/bitbucketserver/client.go
+++ b/server/events/vcs/bitbucketserver/client.go
@@ -300,7 +300,11 @@ func (b *Client) prepRequest(method string, path string, body io.Reader) (*http.
 	if err != nil {
 		return nil, err
 	}
-	req.SetBasicAuth(b.Username, b.Password)
+
+	// Personal access tokens can be sent as basic auth or bearer
+	bearer := "Bearer " + b.Password
+	req.Header.Add("Authorization", bearer)
+
 	if body != nil {
 		req.Header.Add("Content-Type", "application/json")
 	}