system.text.json: bitbucket rest api custom converter

The Bitbucket authority returns the non-standard 'scopes' property with
token endpoint results. With Json.NET, it was possible to handle this
differentiation from the 'scope' property returned by other providers
using inheritance.

However, while this somewhat works in System.Text.Json, there is an issue
with overwriting the value with the final property. So, for example, if
'scopes' is the final property in the JSON returned from Bitbucket's OAuth
token endpoint, then the scopes property is correctly used in
deserialization. However, if 'scope' is the final property, this value
overwrites the scope value. For this reason, we use a custom converter to
explicitly deserialize Bitbucket OAuth responses.

For simplicity in working with System.Text.Json, we also store the
'expires_in' in a long rather than a TimeSpan.

Author: ldennington

src/shared/Atlassian.Bitbucket.Tests/BitbucketTokenEndpointResponseJsonTest.cs

@@ -1,19 +1,32 @@
-using Newtonsoft.Json;
+using System;
+using System.Text.Json;
 using Xunit;
 
 namespace Atlassian.Bitbucket.Tests
 {
     public class BitbucketTokenEndpointResponseJsonTest
     {
         [Fact]
-        public void BitbucketTokenEndpointResponseJson_Deserialize_Scopes_Not_Scope()
+        public void BitbucketTokenEndpointResponseJson_Deserialize_Uses_Scopes()
         {
-            var scopesString = "a,b,c";
-            var json = "{access_token: '', token_type: '', scopes:'" + scopesString + "', scope: 'x,y,z'}";
+            var accessToken = "123";
+            var tokenType = "Bearer";
+            var expiresIn = 1000;
+            var scopesString = "x,y,z";
+            var scopeString = "a,b,c";
 
-            var result = JsonConvert.DeserializeObject<BitbucketTokenEndpointResponseJson>(json);
+            var json = $"{{\"access_token\": \"{accessToken}\", \"token_type\": \"{tokenType}\", \"expires_in\": {expiresIn}, \"scopes\": \"{scopesString}\", \"scope\": \"{scopeString}\"}}";
 
+            var result = JsonSerializer.Deserialize<BitbucketTokenEndpointResponseJson>(json,
+                new JsonSerializerOptions
+                {
+                    PropertyNameCaseInsensitive = true
+                });
+
+            Assert.Equal(accessToken, result.AccessToken);
+            Assert.Equal(tokenType, result.TokenType);
+            Assert.Equal(expiresIn, result.ExpiresIn);
             Assert.Equal(scopesString, result.Scope);
         }
     }
-}
+}

src/shared/Atlassian.Bitbucket/BitbucketTokenEndpointResponseJson.cs

@@ -1,12 +1,73 @@
+using System;
+using System.Text.Json;
 using GitCredentialManager.Authentication.OAuth.Json;
-using Newtonsoft.Json;
+using System.Text.Json.Serialization;
 
-namespace Atlassian.Bitbucket 
+namespace Atlassian.Bitbucket
 {
-        public class BitbucketTokenEndpointResponseJson : TokenEndpointResponseJson
+    [JsonConverter(typeof(BitbucketCustomTokenEndpointResponseJsonConverter))]
+    public class BitbucketTokenEndpointResponseJson : TokenEndpointResponseJson
+    {
+        // To ensure the "scopes" property used by Bitbucket is deserialized successfully with System.Text.Json, we must
+        // use a custom converter. Otherwise, ordering will matter (i.e. if "scopes" is the final property, its value
+        // will be used, but if "scope" is the final property, its value will be used).
+    }
+
+    public class BitbucketCustomTokenEndpointResponseJsonConverter : JsonConverter<BitbucketTokenEndpointResponseJson>
+    {
+        public override BitbucketTokenEndpointResponseJson Read(
+            ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
         {
-            // Bitbucket uses "scopes" for the scopes property name rather than the standard "scope" name
-            [JsonProperty("scopes")]
-            public override string Scope { get; set; }
+            if (reader.TokenType != JsonTokenType.StartObject)
+            {
+                throw new JsonException();
+            }
+
+            var response = new BitbucketTokenEndpointResponseJson();
+
+            while (reader.Read())
+            {
+                if (reader.TokenType == JsonTokenType.EndObject)
+                {
+                    return response;
+                }
+
+                if (reader.TokenType == JsonTokenType.PropertyName)
+                {
+                    var propertyName = reader.GetString();
+                    reader.Read();
+                    if (propertyName != null)
+                    {
+                        switch (propertyName)
+                        {
+                            case "access_token":
+                                response.AccessToken = reader.GetString();
+                                break;
+                            case "token_type":
+                                response.TokenType = reader.GetString();
+                                break;
+                            case "expires_in":
+                                if (reader.TryGetUInt32(out var expiration))
+                                    response.ExpiresIn = expiration;
+                                else
+                                    response.ExpiresIn = null;
+                                break;
+                            case "refresh_token":
+                                response.RefreshToken = reader.GetString();
+                                break;
+                            case "scopes":
+                                response.Scope = reader.GetString();
+                                break;
+                        }
+                    }
+                }
+            }
+
+            throw new JsonException();
         }
-}
+
+        public override void Write(
+            Utf8JsonWriter writer, BitbucketTokenEndpointResponseJson tokenEndpointResponseJson, JsonSerializerOptions options)
+        { }
+    }
+}

src/shared/Core.Tests/TokenEndpointResponseJsonTest.cs

@@ -0,0 +1,31 @@
+using System;
+using System.Text.Json;
+using GitCredentialManager.Authentication.OAuth.Json;
+using Xunit;
+
+namespace Core.Tests;
+
+public class TokenEndpointResponseJsonTest
+{
+    [Fact]
+    public void TokenEndpointResponseJson_Deserialize_Uses_Scope()
+    {
+        var accessToken = "123";
+        var tokenType = "Bearer";
+        var expiresIn = 1000;
+        var scopesString = "x,y,z";
+        var scopeString = "a,b,c";
+        var json = $"{{\"access_token\": \"{accessToken}\", \"token_type\": \"{tokenType}\", \"expires_in\": {expiresIn}, \"scopes\": \"{scopesString}\", \"scope\": \"{scopeString}\"}}";
+
+        var result = JsonSerializer.Deserialize<TokenEndpointResponseJson>(json,
+            new JsonSerializerOptions
+            {
+                PropertyNameCaseInsensitive = true
+            });
+
+        Assert.Equal(accessToken, result.AccessToken);
+        Assert.Equal(tokenType, result.TokenType);
+        Assert.Equal(expiresIn, result.ExpiresIn);
+        Assert.Equal(scopeString, result.Scope);
+    }
+}

src/shared/Core/Authentication/OAuth/Json/DeviceAuthorizationEndpointResponseJson.cs

@@ -15,18 +15,16 @@ public class DeviceAuthorizationEndpointResponseJson
         public Uri VerificationUri { get; set; }
 
         [JsonProperty("expires_in")]
-        [JsonConverter(typeof(TimeSpanSecondsConverter))]
-        public TimeSpan? ExpiresIn { get; set; }
+        public long ExpiresIn { get; set; }
 
         [JsonProperty("interval")]
-        [JsonConverter(typeof(TimeSpanSecondsConverter))]
-        public TimeSpan? PollingInterval { get; set; }
+        public long PollingInterval { get; set; }
 
         public OAuth2DeviceCodeResult ToResult()
         {
-            return new OAuth2DeviceCodeResult(DeviceCode, UserCode, VerificationUri, PollingInterval)
+            return new OAuth2DeviceCodeResult(DeviceCode, UserCode, VerificationUri, TimeSpan.FromSeconds(PollingInterval))
             {
-                ExpiresIn = ExpiresIn
+                ExpiresIn = TimeSpan.FromSeconds(ExpiresIn)
             };
         }
     }

src/shared/Core/Authentication/OAuth/Json/TimeSpanSecondsConverter.cs

@@ -1,31 +1,33 @@
 using System;
-using Newtonsoft.Json;
+using System.Text.Json;
+using System.Text.Json.Serialization;
 
 namespace GitCredentialManager.Authentication.OAuth.Json
 {
     public class TokenEndpointResponseJson
     {
-        [JsonProperty("access_token", Required = Required.Always)]
+        [JsonRequired]
+        [JsonPropertyName("access_token")]
         public string AccessToken { get; set; }
 
-        [JsonProperty("token_type", Required = Required.Always)]
+        [JsonRequired]
+        [JsonPropertyName("token_type")]
         public string TokenType { get; set; }
 
-        [JsonProperty("expires_in")]
-        [JsonConverter(typeof(TimeSpanSecondsConverter))]
-        public TimeSpan? ExpiresIn { get; set; }
+        [JsonPropertyName("expires_in")]
+        public long? ExpiresIn { get; set; }
 
-        [JsonProperty("refresh_token")]
+        [JsonPropertyName("refresh_token")]
         public string RefreshToken { get; set; }
 
-        [JsonProperty("scope")]
+        [JsonPropertyName("scope")]
         public virtual string Scope { get; set; }
 
         public OAuth2TokenResult ToResult()
         {
             return new OAuth2TokenResult(AccessToken, TokenType)
             {
-                ExpiresIn = ExpiresIn,
+                ExpiresIn = ExpiresIn.HasValue ? TimeSpan.FromSeconds(ExpiresIn.Value) : null,
                 RefreshToken = RefreshToken,
                 Scopes = Scope?.Split(' ')
             };

src/shared/Core/Authentication/OAuth/Json/TokenEndpointResponseJson.cs

@@ -14,7 +14,7 @@
     <Reference Include="System.Net.Http" />
     <Reference Include="System.Web" />
     <PackageReference Include="Microsoft.Identity.Client.Broker" Version="4.54.0" />
-    <PackageReference Include="Avalonia.Win32" Version="11.0.0-preview6"/>
+    <PackageReference Include="Avalonia.Win32" Version="11.0.0-preview6" />
   </ItemGroup>
 
   <ItemGroup Condition="'$(TargetFramework)' != 'net472'">