CBG-4737: Remove basic auth command line flags

[bbrks]

CBG-4737

Disable bootstrap.password, and remove username/password from bucket_credentials and db_credentials command line flags.

Actual output

$ ./sync_gateway --bootstrap.password abc sg_config.json                            
2025-08-12T21:22:04.582+01:00 ==== Couchbase Sync Gateway/() CE ====
2025-08-12T21:22:04.582+01:00 [ERR] Couldn't start Sync Gateway: error merging flags on to config: 1 errors:
command line flag "bootstrap.password" is no longer supported and must be removed Use config file to specify bootstrap password, or use X.509 cert/key path flags instead. -- base.FatalfCtx() at logging.go:151

$ ./sync_gateway --bucket_credentials '{"b1":{"password":"abc"}}'
2025-08-12T20:59:56.990+01:00 ==== Couchbase Sync Gateway/() CE ====
2025-08-12T20:59:56.990+01:00 [ERR] Couldn't start Sync Gateway: error merging flags on to config: 1 errors:
flag bucket_credentials for value "{\"b1\":{\"password\":\"abc\"}}" error: only X.509 cert/key paths are supported (fields: x509_cert_path, x509_key_path); username/password are not allowed: json: unknown field "password" -- base.FatalfCtx() at logging.go:151

Integration Tests

• GSI=true,xattrs=true https://jenkins.sgwdev.com/job/SyncGateway-Integration/000/

[Copilot]

Pull Request Overview

This PR removes support for basic authentication command line flags to enhance security by forcing users to use X.509 certificate authentication or configuration files. The bootstrap.password flag is completely disabled and will error when used, while username/password fields are no longer accepted in bucket_credentials and database_credentials command line flags.

Key Changes:

• Disables the bootstrap.password command line flag with helpful error messaging
• Restricts bucket_credentials and database_credentials flags to only accept X.509 certificate paths
• Updates test cases to use X.509 authentication instead of username/password combinations

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
rest/config_flags.go	Implements flag disabling mechanism and X.509-only credential parsing for command line flags
rest/config_flags_test.go	Adds comprehensive tests for disabled flags and X.509-only credential validation
rest/config_test.go	Updates test cases to use new X.509 credential structure
rest/main_test.go	Removes unnecessary return statement in test case
base/bootstrap.go	Refactors credential configuration to separate X.509 fields into dedicated struct

---

_{You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.}

[torcolvin]

This looks fine, note https://docs.couchbase.com/sync-gateway/current/deploy/command-line-options.html#available-options will need to be updated.

[bbrks]

This looks fine, note docs.couchbase.com/sync-gateway/current/deploy/command-line-options.html#available-options will need to be updated.

I filed a DOC ticket to update this page with 4.0