Adding projects to smart mirror using different domain results in "Failed to add projects" error
Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.
Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
When attempting to add a new project to the list of projects that should be mirrored in Google Chrome, the following error is displayed:
"Failed to add projects. Some projects could not be added. Please refresh the page and try again."
In addition, the domain being used by the mirror and primary Bitbucket instances are not the same. Ex:
- mybitbucketinstance.com - Primary Bitbucket instance
- mybitbucketmirror.com - Mirror
Environment
- Bitbucket - Data Center
- Browser - Google Chrome (version 80+ under "Help > About Google Chrome")
Diagnosis
When opening the developer console in Google Chrome, a POST request to the URL "https://mirrorservername.com/rest/mirroring/latest/upstreamServers/<UpstreamServerID>/settings/projects" can be seen which returns back a '401 Unauthorized' status code and has the following content in the response:
{
"errors": [
{
"context": null,
"message": "You are not permitted to access this resource",
"exceptionName": "com.atlassian.bitbucket.AuthorisationException"
}
]
}In addition, when reviewing the JavaScript console, the following warning message can be seen:
A cookie associated with a cross-site resource at https://mybitbucketmirrror.com/ was set without the `SameSite` attribute.
It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`.
You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.Cause
This error is thrown because the mirror is unable to set the necessary BITBUCKETSESSIONID cookie when loading the mirror administration page - resulting in any requests to the mirror being unauthenticated.
This cookie is ultimately unable to be set because the 'Set-Cookie' header within the response from the mirror is blocked by Google Chrome due to a recent change that was implemented in Google Chrome version 80+.
This change makes it so that any cookies set for a domain that differs from the domain of the page being visited are not allowed unless the cookie contains the appropriate 'SameSite' value. As Bitbucket doesn't specify this attribute, the request is then blocked.
Solution
There is currently an open bug request to address the need for this BITBUCKETSESSIONID cookie to be set despite the domain for the mirror and the primary Bitbucket instance being different:
- BSERV-12619 - Getting issue details... STATUS
Workarounds
Any of the below options are available in order to get past this error when configuring the projects to be synchronized to this mirror server:
- Try clearing the browser cache
- Try using a different browser such as Firefox
Change the domain of your mirrors to match the domain of your primary Bitbucket instance.
Using a context-path is a good alternative for helping to create distinct URLs for multiple different mirrors in one Bitbucket instance.
- Use a reverse proxy to rewrite the 'Set-Cookie' header to contain the needed SameSite attribute, using something similar to the following rule:
http-response replace-header Set-Cookie ^(BITBUCKETSESSIONID=.*) \1;\ SameSite=None
The above-mentioned workaround is specifically for HAProxy reverse proxy. If you are using a different reverse proxy, you may need to add the corresponding entry to achieve the same results.