Enabling 2FA on bitbucket server (stash) with drone

It recently came to our attention there was an issue logging into drone when 2FA is enabled. Upon investigation, it was realised there’s an additional step required to get it working.

When configuring 2FA, there’s an option to add to the list of whitelisted paths: (see image)

FIX: You must add ‘/plugins/servlet/applinks/whoami’

The reason for this is because when 2FA is enabled, the URL /plugins/servlet/applinks/whoami which is used to get the username of the authenticated user, is disabled by default. The causes the following error:

  • unauthorized (‘parse "/rest/api/1.0/user?filter’)