Skip to content

[bug] User driven permission syncing will fail with 403 Unauthorized for accounts created before permission syncing was enabled #638

New issue
New issue
Open
#639
Open
[bug] User driven permission syncing will fail with 403 Unauthorized for accounts created before permission syncing was enabled#638
#639
Assignees
brendan-kellam
Labels
bugSomething isn't working
@brendan-kellam

Description

@brendan-kellam
brendan-kellam
opened on Nov 28, 2025

Describe the bug

We only request the read_api (or repo) scope to accounts when permission syncing is enabled, meaning if a account is created before permission syncing is enabled, user driven permission sync jobs for that account will fail with the following error:

[worker] 2025-11-28T19:48:24.132Z info: [user-permission-syncer:job:cmij9z3x90002xnti61r6kjui] Syncing permissions for gitlab account (id: cmij9t22n0004xn64szkd3hxs) for user [email protected]...
[worker] 2025-11-28T19:48:24.462Z error: [gitlab] Failed to fetch projects for authenticated user. Forbidden
[worker] GitbeakerRequestError: Forbidden
[worker]     at throwFailedRequestError (file:///Users/brendan/sourcebot/node_modules/@gitbeaker/rest/dist/index.mjs:41:9)
[worker]     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
[worker]     at async defaultRequestHandler (file:///Users/brendan/sourcebot/node_modules/@gitbeaker/rest/dist/index.mjs:74:48)
[worker]     at async file:///Users/brendan/sourcebot/node_modules/@gitbeaker/core/dist/index.mjs:99:22
[worker]     at async fetchWithRetry (file:///Users/brendan/sourcebot/packages/backend/dist/utils.js:69:20)
[worker]     at async getProjectsForAuthenticatedUser (file:///Users/brendan/sourcebot/packages/backend/dist/gitlab.js:266:26)
[worker]     at async file:///Users/brendan/sourcebot/packages/backend/dist/ee/accountPermissionSyncer.js:168:47
[worker]     at async AccountPermissionSyncer.runJob (file:///Users/brendan/sourcebot/packages/backend/dist/ee/accountPermissionSyncer.js:132:25)
[worker]     at async /Users/brendan/sourcebot/node_modules/bullmq/dist/cjs/classes/worker.js:517:32
[worker]     at async Worker.retryIfFailed (/Users/brendan/sourcebot/node_modules/bullmq/dist/cjs/classes/worker.js:742:24)
[worker] 2025-11-28T19:48:24.479Z error: [user-permission-syncer:job:cmij9z3x90002xnti61r6kjui] Account permission sync job failed for account (id: cmij9t22n0004xn64szkd3hxs) for user [email protected]: Forbidden

To reproduce

  1. With permission syncing disabled, create a new Sourcebot user with either GitHub or GitLab idp
  2. Shutdown, enable permission syncing, and restart
  3. Notice that the user permission sync jobs will fail with 403s.

Sourcebot deployment information

Sourcebot version (e.g. v3.0.1): v4.10.0

Additional information

We probably need to re-create the access token after permission syncing is enabled.

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions