Tigase Forge
Dashboards
Projects
Global Views
Code Search
sztab
Issues
List
Boards
Iterations
Builds
Statistics
Child Projects
OneDev 11.9.7
Documentation Support & Bug Report RESTful API Incompatibilities License Agreement Check Update
Projects sztab Issues SZ-109
Expired PAT Causes Post-Merge Push Failure and Cannot Be Updated via UI (SZ-109)
rk@tigase.net opened 5 days ago

Summary

If the Personal Access Token (PAT) used for an external Git repository (e.g., GitHub) expires, merge operations in Sztab fail during the push step.

There is currently no way to update the stored PAT via the Project Edit UI. The only workaround is to either:

  • Create PATs with long expiration periods, or
  • Manually update the PAT directly in the database.

This is a functional gap and creates operational risk.

Environment

Version: 1.9.2
Component: Sztab + Sztabina
External Git: GitHub (PAT-based authentication)

Steps to Reproduce

  1. Configure a Project with an external Git URL (e.g., GitHub).
  2. Provide a valid PAT.
  3. Allow the PAT to expire.
  4. Attempt a merge (regular, squash, rebase, or ff).
  5. Observe that merge completes locally but push fails.
  6. Navigate to Project → Edit.

Actual Behavior

  • Merge operation in Sztabina succeeds locally.
  • Push to remote fails due to expired PAT.
  • Sztab reports merge failure.
  • Project Edit screen does not allow updating the stored PAT.
  • No recovery path is available via UI.

Expected Behavior

  • Project Edit screen should allow updating Git credentials (username + PAT).
  • System should clearly report authentication failure.
  • Merge operation should not leave repository in inconsistent state.

Impact

  • Users are blocked from completing merges.
  • No self-service recovery path.
  • Requires direct DB intervention.
  • Operationally fragile for short-lived tokens.

Current Workaround

  1. Generate PATs with long expiration times.
  2. Or manually update the PAT in the database.
  3. Restart stack if necessary.

Suggested Fix

  1. Extend Project Edit UI to allow updating Git credentials.
  2. Validate credentials on save (optional).
  3. Improve error messaging on push failure.
  4. Consider detecting 401/403 from remote and surface as "Authentication expired".

Severity

Medium–High

Blocks merge workflow once token expires.

  • rk@tigase.net commented 5 days ago

    Task Breakup:

    1. Backend DTO + entity update to allow credential update ~45 minutes • Add fields to ProjectUpdateDto (gitUsername, gitToken) • Update service layer to persist changes • Ensure token is encrypted/handled consistently
      1. Controller wiring + validation ~30–45 minutes • Allow optional update (don’t overwrite if null) • Add clear error message propagation
      2. UI change (Project Edit screen) ~45–60 minutes

    • Add masked PAT field • UX note: “Leave blank to keep existing token” • Ensure it doesn’t echo token back 4. Error handling improvement on push failure ~30 minutes • Detect auth-related push errors • Map to meaningful message (“Authentication failed or token expired”) 5. Regression test (manual + curl) ~30–45 minutes

    Total: ~3 hours focused work.

issue 1 of 1
Type
Bug
Priority
Normal
Assignee
rk@tigase.net
Version
1.9.2
Sprints
n/a
Customer
n/a
Issue Votes (0)
Login to vote
Watchers (3)
Reference
SZ-109
Please wait...
Page is in error, reload to recover