Skip to content

feat(auth-v2): Use HTTP Header to protect endpoints on production #94588

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

feat(auth-v2): Use HTTP Header to protect endpoints on production #94588

wants to merge 3 commits into from

Conversation

leedongwei
Copy link
Member

Depends on #94390.

@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Jun 27, 2025
@leedongwei leedongwei mentioned this pull request Jun 27, 2025
Open
cursor[bot]

This comment was marked as outdated.

Sign in to view

@leedongwei leedongwei force-pushed the dlee/auth-v2-secret branch from 8355cc2 to 531c177 Compare June 27, 2025 23:05
cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]
cursor bot reviewed Jun 27, 2025
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Default Secret Vulnerability

The AUTH_V2_SECRET defaults to an empty string. In production, if left unconfigured, this allows an attacker to bypass authentication by sending an empty X-Sentry-Auth-V2 header, as the permission check "" == "" evaluates to True. Additionally, the comment Protect login/registration endpoints during development phase is misleading, as the AuthV2Permission logic enforces protection in production (when IS_DEV is False), not during development.

src/sentry/conf/server.py#L650-L652

sentry/src/sentry/conf/server.py

Lines 650 to 652 in a2f257e

# Protect login/registration endpoints during development phase
AUTH_V2_SECRET = ""

src/sentry/auth_v2/endpoints/base.py#L12-L14

sentry/src/sentry/auth_v2/endpoints/base.py

Lines 12 to 14 in a2f257e

secret = request.META.get("HTTP_X_SENTRY_AUTH_V2")
return secret == settings.AUTH_V2_SECRET

Fix in Cursor

Was this report helpful? Give feedback by reacting with 👍 or 👎

@codecov Codecov
Copy link

codecov bot commented Jun 27, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #94588      +/-   ##
==========================================
- Coverage   81.67%   80.35%   -1.32%     
==========================================
  Files       10406    10406              
  Lines      602542   602542              
  Branches    23448    23448              
==========================================
- Hits       492117   484181    -7936     
- Misses     109673   117609    +7936     
  Partials      752      752

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Scope: Backend Automatically applied to PRs that change backend components
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@leedongwei