Adding projects to smart mirror using different domain results in "Failed to add projects" error

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

When attempting to add a new project to the list of projects that should be mirrored in Google Chrome, the following error is displayed:

"Failed to add projects. Some projects could not be added. Please refresh the page and try again."

In addition, the domain being used by the mirror and primary Bitbucket instances are not the same. Ex:

  • mybitbucketinstance.com - Primary Bitbucket instance
  • mybitbucketmirror.com - Mirror

Environment

  • Bitbucket - Data Center 
  • Browser - Google Chrome (version 80+ under "Help > About Google Chrome")

Diagnosis

When opening the developer console in Google Chrome, a POST request to the URL "https://mirrorservername.com/rest/mirroring/latest/upstreamServers/<UpstreamServerID>/settings/projects" can be seen which returns back a '401 Unauthorized' status code and has the following content in the response:

{
  "errors": [
    {
      "context": null,
      "message": "You are not permitted to access this resource",
      "exceptionName": "com.atlassian.bitbucket.AuthorisationException"
    }
  ]
}

In addition, when reviewing the JavaScript console, the following warning message can be seen:

A cookie associated with a cross-site resource at https://mybitbucketmirrror.com/ was set without the `SameSite` attribute. 
It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. 
You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

Cause

This error is thrown because the mirror is unable to set the necessary BITBUCKETSESSIONID cookie when loading the mirror administration page - resulting in any requests to the mirror being unauthenticated.

This cookie is ultimately unable to be set because the 'Set-Cookie' header within the response from the mirror is blocked by Google Chrome due to a recent change that was implemented in Google Chrome version 80+.

This change makes it so that any cookies set for a domain that differs from the domain of the page being visited are not allowed unless the cookie contains the appropriate 'SameSite' value. As Bitbucket doesn't specify this attribute, the request is then blocked.

Solution

There is currently an open bug request to address the need for this BITBUCKETSESSIONID cookie to be set despite the domain for the mirror and the primary Bitbucket instance being different:

Workarounds

Any of the below options are available in order to get past this error when configuring the projects to be synchronized to this mirror server:

  • Try clearing the browser cache
  • Try using a different browser such as Firefox
  • Change the domain of your mirrors to match the domain of your primary Bitbucket instance.

    • Using a context-path is a good alternative for helping to create distinct URLs for multiple different mirrors in one Bitbucket instance.

  • Use a reverse proxy to rewrite the 'Set-Cookie' header to contain the needed SameSite attribute, using something similar to the following rule:
http-response replace-header Set-Cookie ^(BITBUCKETSESSIONID=.*) \1;\ SameSite=None

 The above-mentioned workaround is specifically for HAProxy reverse proxy. If you are using a different reverse proxy, you may need to add the corresponding entry to achieve the same results.

Last modified on Jul 4, 2023

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.