Bitbucket SSO maps users by username, allowing GitLab logins to be taken on update
The issue
When signing into GitLab using a Bitbucket Cloud account, we map the logged in GitLab user to their Bitbucket user using their username
. However, you can change your username on Bitbucket at any time. If someone were to change their username on Bitbucket after using it to log into GitLab, another Bitbucket user could pick up the newly-available username, log into GitLab with their own Bitbucket credentials and have access to the GitLab account of the person who originally owned that username.
Steps to recreate
- Create a Bitbucket Cloud account. I made an account with the username
sword-gitlab
. - Integrate BBC into your application and allow SSO for
bitbucket
- Sign into GitLab with the Bitbucket you just created (
sword-gitlab
). Once you're successfully signed in, sign out. - Go to bitbucket.com, sign in with the account you used to sign in to used to SSO into GitLab.
- Change your Bitbucket username to something new (
sword-gitlab
->samword-gitlab
). - Sign out of this Bitbucket account, and create a new Bitbucket user with your first user's username now that it's available (
sword-gitlab
but with a new email and password). - Return to GitLab and sign in with Bitbucket again using your second user's Bitbucket credentials (
sword-gitlab
but using new email and password). Clearing cookies or using a private tab works best to ensure you're signing into Bitbucket with your second user's credentials. - See that you have logged into the same account as before with the new credentials.
- Attempting to sign in again with the first credentials results in a "Email has already been taken" error.
Potential fix
We define uid
as username
in our Bitbucket OAuth strategy. We should really be using the Atlassian account UUID which is available in the same API response we use to get the user's username. The fix should be as simple as changing this line to raw_info['uuid']
. This should fix new Bitbucket sign-ins, but will not likely be complete for existing identities.