1. Bitbucket
  2. Public Issue Tracker
  3. master
  4. Issues

Issues

Issue #6548 resolved

Download tar / zip with oauth api token

Daniel Knell
created an issue

I have a project that requires allowing members of an organisation to download the contents of a private repository via a script, I was hoping I would be able to use bitbucket and access the download links with oauth credentials, but this does not appear to be possible currently.

I would like to use my oauth credentials to access the following uri's on private repositories.

https://bitbucket.org/{user}/{repo}/get/{branch,tag}.{zip,tar.gz,tar.bz}

github currently supports this feature and their API docs for it can be found here, but as a mercurial user thats not really an option for me:

http://developer.github.com/v3/repos/contents/

they appear to have an endpoint that generates short lived token with access to the download.

Comments (22)

  1. Erik van Zijst staff

    Any URL on Bitbucket should be accessible using OAuth (like Twitter, but in contrast to GitHub, we use OAuth 1.0), including the download artifacts.

    I just gave it a quick try just to be sure and I had no trouble.

    How have you tried to access those URLs? Which OAuth client are you using and which OAuth consumer key?

  2. Joseph Newing

    I am unable to get this to work at all.

    Page I'm requesting is as follows: https://bitbucket.org/{owner}/{repo}/get/master.tar.gz

    I wish to access this page using OAuth token that I already have for the user. as I added the following to my http header

    Authorization: OAuth oauth_consumer_key=mykeyhere, oauth_nonce=JcPolK7L72quQxNkQN4mUTqsz7ZfqQu1, oauth_signature_method=HMAC-SHA1, oauth_timestamp=1390421341, oauth_version=1.0, oauth_token=userstoken, oauth_signature=GqtswjvlprHz9ft9fPXE%2FudrrdE%3D
    
  3. Tyler Romeo

    I also just tried this and am getting 401 responses. Is there anything special we have to do? (I'm using Guzzle as my OAuth client. It works for other API URLs without a problem, but trying the .tar.gz does not work.)

  4. Erik van Zijst staff

    Joseph Newing and Tyler Romeo, I could not reproduce the problem, but am happy to have a look into your issue. To do so I will need the actual consumer key and secret though (or the account that owns it, so I can look it up in the database).

    I would also like to see the entire collection of request and response headers and potential request/response bodies.

    Could you both please email these details to support@bitbucket.org?

  5. John Garcia

    Hey there, to verify this issue we need the information as cited by Erik above:

    I could not reproduce the problem, but am happy to have a look into your issue. To do so I will need the actual consumer key and secret though (or the account that owns it, so I can look it up in the database). I would also like to see the entire collection of request and response headers and potential request/response bodies. Could you both please email these details to support@bitbucket.org?

  6. Ian Bytchek

    Erik van Zijst the issue that I'm having is that there is no documentation on how to get this working. There is Fare-thee-well, Digest access authentication and a link to general OAuth documentation, which sort of implies it's doable, and then there's a comment saying the opposite, which is confusing. And then there's Taylor Otwell saying he can't get this to work. The whole thing looks complicated, if not desperate.

    I'm exploring the possibility getting the contents of private repository without using git commands, the only way seems to be becoming an expert in OAuth. I'll email the support if that's a better option in your opinion, but it would be very helpful to have a guide on how to do this. I'm sure I'm not the first nor the last one wondering about this.

  7. Erik van Zijst staff

    That comment is false. I've deleted it. As stated earlier in this thread, every URL can be accessed, including the tar balls.

    Depending on your requirements, downloading a zip (or indeed, a tgz) is as simple as:

    $ wget --user user --password pass https://bitbucket.org/{username}/{repo}/get/master.tar.gz
    

    There's no specific documentation for archive links, as there is nothing different about them. If you have an OAuth-capable client, you can hit these links. Same for Basic Auth.

    Again, if you have trouble with any of this, please contact support and we're happy to help out.

  8. Log in to comment