bitbucket doesn't properly send HTTP 401 responses header on private repository requests (BB-805)
When trying to access files in private repositories, Bitbucket fails to send a HTTP 401 with a WWW-Authenticate header:
$ curl -I http://bitbucket.org/<privaterepo>/raw/tip/<path> HTTP/1.1 403 FORBIDDEN Date: Wed, 31 Mar 2010 18:33:12 GMT Server: nginx/0.7.62 Content-Type: text/html; charset=utf-8 Vary: Cookie,Accept-Encoding
(I've left the actual repo and path out since they're private; contact me privately and I'd be happy to share the real details.)
This isn't just wrong from an HTTP standpoint; well-formed HTTP clients -- and Python's urllib2, in particular -- won't send authentication information unless challenged with an HTTP 401:
>>> import urllib2 >>> passman = urllib2.HTTPPasswordMgrWithDefaultRealm() >>> passman.add_password(None, 'http://bitbucket.org/', 'jacobian', '<password>') >>> authhandler = urllib2.HTTPBasicAuthHandler(passman) >>> opener = urllib2.build_opener(authhandler) >>> f = opener.open('http://bitbucket.org/<repo>/raw/tip/<path>') ... HTTPError: HTTP Error 403: FORBIDDEN
This also fails if you use a basic
HTTPPasswordMgr and specify the realm manually.
I discovered this when trying to use Review Board (1.5 beta 2) with a private Bitbucket repository. Review Board uses urllib2 in a manner nearly exactly like the above (see http://github.com/reviewboard/reviewboard/blob/master/reviewboard/scmtools/hg.py#L105).
I'm going to file this same bug against Review Board in a moment, and it probably won't be *too* hard to hack around Bitbucket's behavior and make Review Board work. But it is indeed a Bitbucket bug: Bitbucket should be sending a HTTP 401 response.