[BUG] Azure DevOps repository cloning fails due to incorrect authentication method Description

[yurika96]

Describe the bug

When connecting to an Azure DevOps instance, the initial API connection and repository discovery succeed, but the subsequent git clone operation fails with an Authentication failed error.

This issue stems from the way repoManager constructs the clone URL for Azure DevOps repositories.

Logs

The initial sync job shows a successful API connection:

[backend] | 2025-09-19T06:42:54.369Z info: [connection-manager] Connection sync job for connection azure_devops (id: 5, jobId: 17) completed

However, the cloning process initiated by repoManager fails:

[backend] | 2025-09-19T06:42:54.796Z error: [repo-manager] Failed to sync repository [internal-devops-host]/mpilot_perception/auto-tagging-platform ... Error: Failed to clone repository ...
[backend] | fatal: could not read Password for 'https://xxxxx@[internal-devops-host]': No such device or address

Root Cause Analysis

Incorrect Credential Formatting: In packages/backend/src/repoManager.ts, the getCloneCredentialsForRepo function returns only a password (the PAT) for azuredevops connections.

Incorrect URL Construction: The syncGitRepository function in the same file has a fallback mechanism that incorrectly assigns the password to the username field of the clone URL when username is not provided. This results in an improperly formatted URL like https://@[internal-devops-host]/....

Azure DevOps Authentication Mechanism: Azure DevOps does not support authentication via a PAT embedded in the username part of a URL. It requires the PAT to be supplied as the password in a Basic Authentication scheme, typically with an arbitrary (or empty) username.

https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=Windows#use-a-pat

Manual Verification

We have confirmed the correct authentication method via the command line.

Failed Attempt (mimicking current behavior):

git clone https://pat:YOUR_PAT@[internal-devops-host]/...
# Result: fatal: Authentication failed

Successful Attempt (correct method):
This method injects the credentials directly into the HTTP header, which is the correct way to authenticate with Azure DevOps.

TOKEN="YOUR_PAT"
AUTH_HEADER="Authorization: Basic $(echo -n ":$TOKEN" | base64)"
git -c http.extraHeader="$AUTH_HEADER" clone https://[internal-devops-host]/...
# Result: Success, cloning begins.

Suggested Solution

The repoManager needs to be updated to handle Azure DevOps authentication correctly.

Modify git.ts: The cloneRepository and fetchRepository functions in packages/backend/src/git.ts should be updated to accept an optional config parameter (a string array) to pass custom configurations like http.extraHeader to the underlying simple-git call.

Modify repoManager.ts: In syncGitRepository, add logic to detect if the repository is from an azuredevops connection.

If it is, construct the Authorization: Basic ... header using the PAT and pass it to cloneRepository/fetchRepository via the new config parameter.
If it is not, retain the existing logic of embedding credentials in the URL.
This will ensure that Azure DevOps repositories are cloned using the correct, header-based authentication method without affecting other Git providers.

To reproduce

1. Configure a new code host connection of type azuredevops.
2. Provide the URL for your Azure DevOps server (e.g., https://[internal-devops-host]) and a valid Personal Access Token (PAT) with at least Code (Read) permissions.
3. Configure the connection to sync a specific repository.
4. Trigger a sync for the connection.
5. Observe the backend logs for the repo-manager service.

Sourcebot deployment information

Sourcebot version (e.g. v3.0.1): 4.7.0

Additional information

No response

[msukkari]

Hi @yurika96 this should hopefully be fixed in v4.7.1, could you test it when you get the chance? Please reopen this if it still no longer works for you