[Bitbucket] [AccessTokenAuth] File name too long

[p24-max]

My composer.json:

(secret-key is redacted with .)

[...]
  "repositories": {
        "filter-cms" : {
            "type": "vcs",
            "url": "https://x-token-auth:ATCT.........................................................................................................................................................................................8FC@bitbucket.org/the-namespace/module-filter-cms.git"
        }
  }
[...]

Output of composer diagnose:

Checking composer.json: OK
Checking platform settings: OK
Checking git settings: OK git version 2.39.3
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com rate limit: OK
Checking disk free space: OK
Checking pubkeys:
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0 87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B 0C708369 153E328C AD90147D AFE50952
OK
Checking Composer version: OK
Checking Composer and its dependencies for vulnerabilities: OK
Composer version: 2.7.2
PHP version: 8.1.26
PHP binary path: /opt/homebrew/Cellar/php@8.1/8.1.26/bin/php
OpenSSL version: OpenSSL 3.2.0 23 Nov 2023
cURL version: 8.5.0 libz 1.2.12 ssl (SecureTransport) OpenSSL/3.2.0
zip: extension present, unzip present, 7-Zip not available

When I run this command:

php composer.phar require the-namespace/module-filter-cms:dev-master

I get the following output:

  [RuntimeException]                                                                                                                                                                                                                          
  Failed to execute git clone --mirror -- 'https://x-token-auth: ATCT.........................................................................................................................................................................................8FC@bitbucket.org/the-namespace/module-filter-cms.git' '/Users/xxx/Library/Caches/composer/vcs/https---x-token-auth-ATCT.........................................................................................................................................................................................8FC-bitbucket.org-the-namespace-module-filter-cms.git/'                                                                                     
                                                                                                                                                                                                                                              
  Cloning into bare repository '/Users/xxx/Library/Caches/composer/vcs/https---x-token-auth-ATCT.........................................................................................................................................................................................8FC-bitbucket.org-the-namespace-module-filter-cms.git'...                                                                                                                           
  fatal: Invalid path '/Users/xxx/Library/Caches/composer/vcs/https---x-token-auth-ATCT.........................................................................................................................................................................................8FC-bitbucket.org-the-namespace-module-filter-cms.git': File name too long   

And I expected this to happen:
That it installs the dependency without any error.

File name is too long as the username+password contained in the URL is used for the cache-folder as well which is not reliable implementation.
Corresponding code: https://github.com/composer/composer/blob/main/src/Composer/Downloader/GitDownloader.php#L70

In my case, I have multiple private Bitbucket repos. Each one has a different access token, this is why I cannot make use of auth.json.

[p24-max]

I opened a pull request to fix this. Would be great if the merge-commit could be cherry-picked to version 2.2.x and 2.6.x as well.
Thank you <3

[KevinVanSonsbeek]

Is there a specific reason why you would want to (hard/fixed) integrate the authentication token, in the repository url?

As composer does support authentication config https://getcomposer.org/doc/articles/authentication-for-private-packages.md for private repos. Which saves you having to hard code tokens or alike in your composer.json.

[p24-max]

@KevinVanSonsbeek thanks for your input, my issue is that I have approx. 5 private repos, all hosted on bitbucket. Each of those repos do have its own access-token (as per Bitbucket limitations). It is possible to get 1 bitbucket accesstoken for all repos only with their paid Premium-Plan.

I tried lots of things, even with custom Baerer-Authorization header within composer.json, but nothing really worked (except this PR, this one works).

In my case, all developers who have access to the composer.json also have access to the other private repositories so I do not have security concerns in this particular case.