refactor: clean up Gerrit auth based on review feedback

- Remove unused imports and redundant tests
- Fix password fields to use token objects
- Remove unnecessary exception metadata
- Add changelog entry

Author: zuharz

CHANGELOG.md

@@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+- Added comprehensive Gerrit HTTP authentication support with username/password credentials via secrets and environment variables. [#366](https://github.com/sourcebot-dev/sourcebot/pull/366)
+
 ## [4.7.0] - 2025-09-17
 
 ### Added

packages/backend/src/gerrit.test.ts

@@ -348,7 +348,7 @@ test('getGerritReposFromConfig handles authenticated access with HTTP Basic Auth
         projects: ['test-project'],
         auth: {
             username: 'testuser',
-            password: 'test-password'
+            password: { secret: 'test-secret' }
         }
     };
 
@@ -463,7 +463,7 @@ test('getGerritReposFromConfig handles authentication errors', async () => {
         projects: ['test-project'],
         auth: {
             username: 'testuser',
-            password: 'invalid-password'
+            password: { secret: 'invalid-secret' }
         }
     };
 
@@ -740,7 +740,7 @@ test('getGerritReposFromConfig validates Basic Auth header format', async () =>
         projects: ['test-project'],
         auth: {
             username: 'user@example.com',
-            password: 'complex-password-123!'
+            password: { secret: 'complex-secret' }
         }
     };
 
@@ -835,7 +835,7 @@ test('getGerritReposFromConfig handles mixed authentication scenarios', async ()
         projects: ['private-project'],
         auth: {
             username: 'testuser',
-            password: 'test-password'
+            password: { secret: 'test-secret' }
         }
     };
 
@@ -959,7 +959,7 @@ test('getGerritReposFromConfig rejects invalid token formats (security)', async
         projects: ['test-project'],
         auth: {
             username: 'testuser',
-            password: 'direct-string-password' // This should be rejected
+            password: { secret: 'invalid-secret' } // This should be rejected for other reasons
         }
     };
 

packages/backend/src/gerrit.ts

@@ -142,9 +142,7 @@ const fetchAllProjects = async (url: string, auth?: GerritAuthConfig): Promise<G
             const errorText = await response.text().catch(() => 'Unknown error');
             logger.error(`Failed to fetch projects from Gerrit at ${endpointWithParams} with status ${response.status}: ${errorText}`);
             const e = new BackendException(BackendError.CONNECTION_SYNC_FAILED_TO_FETCH_GERRIT_PROJECTS, {
-               status: response.status,
-               url: endpointWithParams,
-               authenticated: !!auth
+               status: response.status
             });
             Sentry.captureException(e);
             throw e;
@@ -159,9 +157,7 @@ const fetchAllProjects = async (url: string, auth?: GerritAuthConfig): Promise<G
          const message = (err as Error)?.message ?? String(err);
          logger.error(`Failed to fetch projects from Gerrit at ${endpointWithParams} with status ${status}: ${message}`);
          throw new BackendException(BackendError.CONNECTION_SYNC_FAILED_TO_FETCH_GERRIT_PROJECTS, {
-            status,
-            url: endpointWithParams,
-            authenticated: !!auth
+            status
          });
       }
 

packages/crypto/src/tokenUtils.test.ts

@@ -1,5 +1,4 @@
 import { describe, test, expect, vi, beforeEach } from 'vitest';
-import { PrismaClient } from '@sourcebot/db';
 import { getTokenFromConfig } from './tokenUtils';
 
 // Mock the decrypt function
@@ -58,19 +57,6 @@ describe('tokenUtils', () => {
             expect(mockPrisma.secret.findUnique).not.toHaveBeenCalled();
         });
 
-        test('throws error for string tokens (security)', async () => {
-            const config = 'direct-string-token';
-
-            await expect(getTokenFromConfig(config as any, testOrgId, mockPrisma))
-                .rejects.toThrow('Invalid token configuration');
-        });
-
-        test('throws error for malformed token objects', async () => {
-            const config = { invalid: 'format' };
-
-            await expect(getTokenFromConfig(config as any, testOrgId, mockPrisma))
-                .rejects.toThrow('Invalid token configuration');
-        });
 
         test('throws error for missing secret', async () => {
             mockPrisma.secret.findUnique.mockResolvedValue(null);