Fix bearer token authentication for Git clone operations (azure-devops) (#6072)

* fix(azure-devops): fix bearer token auth for Git clone

Bearer tokens from DefaultAzureCredential were failing with 401 because
Git.fromAuth() doesn't handle { token } format. Changed to use basic auth
format like PAT tokens, which Azure DevOps supports for OAuth tokens.

Signed-off-by: tonyhogsten <tony.hogsten@if.se>

* fix(azure-devops): fix bearer token auth for Git clone

Bearer tokens from DefaultAzureCredential were failing with 401 because
Git.fromAuth() doesn't handle { token } format. Changed to use basic auth
format like PAT tokens, which Azure DevOps supports for OAuth tokens.

Signed-off-by: tonyhogsten <tony.hogsten@if.se>

* update test to match the object returned.

Signed-off-by: tonyhogsten <tony.hogsten@if.se>

* revert change of import order

Signed-off-by: tonyhogsten <tony.hogsten@if.se>

* Revert change of import order

Signed-off-by: tonyhogsten <tony.hogsten@if.se>

* revert change

Signed-off-by: tonyhogsten <tony.hogsten@if.se>

* Remove example and reference the documentation:.

Signed-off-by: Tony Hogsten <tony.hogsten@if.se>
Signed-off-by: tonyhogsten <tony.hogsten@if.se>

---------

Signed-off-by: tonyhogsten <tony.hogsten@if.se>
Signed-off-by: Tony Hogsten <tony.hogsten@if.se>

Author: tonyhogsten

workspaces/azure-devops/.changeset/fifty-papayas-scream.md

@@ -0,0 +1,5 @@
+---
+'@backstage-community/plugin-scaffolder-backend-module-azure-devops': patch
+---
+
+Fix bearer token authentication for Git clone operations

workspaces/azure-devops/plugins/scaffolder-backend-module-azure-devops/README.md

@@ -46,6 +46,8 @@ integrations:
         - personalAccessToken: ${PERSONAL_ACCESS_TOKEN}
 ```
 
+To use other authentication methods, see the [documentation.](https://backstage.io/docs/integrations/azure/locations)
+
 ## Usage
 
 You can use the action in any of the steps of your [Software Template](https://backstage.io/docs/features/software-templates/).

workspaces/azure-devops/plugins/scaffolder-backend-module-azure-devops/src/actions/devopsRepoClone.test.ts

@@ -100,7 +100,7 @@ describe('createAzureDevOpsCloneRepoAction', () => {
     await createAzureDevOpsCloneRepoAction({ integrations }).handler(ctx);
     expect(cloneRepo).toHaveBeenCalledWith(
       expect.objectContaining({
-        auth: { token: 'bearer-token' },
+        auth: { username: 'not-empty', password: 'bearer-token' },
       }),
     );
   });

workspaces/azure-devops/plugins/scaffolder-backend-module-azure-devops/src/actions/helpers.ts

@@ -102,19 +102,23 @@ export async function getGitCredentials(
     DefaultAzureDevOpsCredentialsProvider.fromIntegrations(integrations);
   const credentials = await credentialProvider.getCredentials({ url: url });
 
-  let auth: { username: string; password: string } | { token: string };
   if (token) {
-    auth = { username: 'not-empty', password: token };
-  } else if (credentials?.type === 'pat') {
-    auth = { username: 'not-empty', password: credentials.token };
-  } else if (credentials?.type === 'bearer') {
-    auth = { token: credentials.token };
-  } else {
+    return { username: 'not-empty', password: token };
+  }
+
+  if (!credentials) {
     throw new InputError(
-      `No credentials provided ${url}, please check your integrations config`,
+      `No credentials provided for ${url}, please check your integrations config`,
     );
   }
-  return auth;
+
+  if (credentials.type === 'pat' || credentials.type === 'bearer') {
+    return { username: 'not-empty', password: credentials.token };
+  }
+
+  throw new InputError(
+    `Unsupported credential type '${credentials.type}' for ${url}`,
+  );
 }
 
 export async function getAuthHandler(