git-updater: Bitbucket Private Repo with Release Assets: Package download says Bad Request


I was struggeling to set up a theme deployment workflow with a private repository hosted on bitbucket using release assets.

When WP tries to download the package it failed, saying “Bad Request”.

I dug into it, looking closely at each cURL request WP is performing, and presumably was able to spot the cause:

  1. The initial Download URL is something like<owner>/<repo>/downloads/<repo>-<tag>.zip. HTTP Basic auth credentials are sent along to Bitbucket.
  2. Bitbucket responds with a 302 redirect to a Amazon S3 Bucket or something alike.
  3. WordPress opens a second curl request, using the redirect URL. The HTTP Basic Auth header is still present in the follow up request. Amazon doesn’t like it.

That’ what the response looks like:

string(806) "HTTP/1.1 400 Bad Request
x-amz-request-id: <SOME_ID>
Content-Type: application/xml
Transfer-Encoding: chunked
Date: Wed, 12 Sep 2018 15:43:01 GMT
Connection: close
Server: AmazonS3

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>InvalidArgument</Code><Message>Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified</Message><ArgumentName>Authorization</ArgumentName><ArgumentValue>Basic [HTTP_BASIC_AUTH_HEADER_VALUE]</ArgumentValue><RequestId>[SOME_ID]</RequestId><HostId>[SOME_LONGISH_ID_LOOKING_LIKE_BASE64]</HostId></Error>

I finally managed to solve my task by simply deactivating release assets, but I’d like to share my findings here, in case someone runs into the same issue.

Regards, jörn

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 15 (12 by maintainers)

Commits related to this issue

Most upvoted comments

Hi Andy, I think I was able fix it. There are a couple of undocumented WordPress Actions in the Requests class (wp-includes/class-requests.php). One of them is requests-requests.before_redirect, which gets fired before WP follows a redirect. All I had to do then was to check if a request to an amazon AWS has a) a HTTP Basic Auth in the request header and b) an AWS-specific Auth in the query string and if so, get rid of the Basic Auth.

Please have a look at this commit: In theory the fix should work for each and every download from amazon AWS, not just on the bitbucket subdomain ( I think you might want to include it in the API class, and not just in the Bitbucket_API, like me. (That’s why I didn’t send a PR.)

Hope I could help…