feat(snapshots): Authenticate with Objectstore#3258
Conversation
Bump objectstore-client to 0.1.6 and use the dedicated auth token from ObjectstoreUploadOptions when available, instead of always reusing the Sentry auth token. The Sentry token is now passed as a Bearer authorization header via configure_reqwest for request verification. This resolves the TODO in the previous implementation and decouples objectstore authentication from Sentry authentication. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
lcian
changed the title
|
lcian
added
the
skip-changelog
The objectstore-client 0.1.6 upgrade changed send() to return a Future, so it needs to be awaited before calling error_for_failures(). Also add changelog entry for the PR. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
Enable the serde feature on secrecy and use SecretString instead of plain String for the auth_token field in ObjectstoreUploadOptions. This prevents accidental logging of the token. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
szokeasaurusrex
left a comment
szokeasaurusrex
left a comment
There was a problem hiding this comment.
Mostly looks good, have some questions and suggestions though
| auth | ||
| let mut builder = ClientBuilder::new(options.objectstore.url); | ||
| if let Some(token) = options.objectstore.auth_token { | ||
| builder = builder.token(token.expose_secret().to_owned()); |
There was a problem hiding this comment.
l: Why not implement From<Secret<String>> for TokenProvider?
I think that probably reduces the scope where the secret string could accidentally get leaked in a panic.
There was a problem hiding this comment.
As we discussed previously, internally the TokenProvider stores a newtype with a Debug implementation which redacts the key, so practically the effect is the same.
I'm not opposed to implementing From<Secret<String>> for TokenProvider though, it just adds a single dep more to objectstore-client, I'll do it sometime soon.
There was a problem hiding this comment.
You could place the From implementation behind a feature flag, that would make the secrecy crate an optional dependency
There was a problem hiding this comment.
but this comment is nonblocking in any case
Co-authored-by: Daniel Szoke <7881302+szokeasaurusrex@users.noreply.github.com>
2 participants
Bump
objectstore-clientto 0.1.6 and use the dedicated auth token now returned byObjectstoreUploadOptions..tokenin the newest version of Objectstore client passes it in theX-Os-Authheader.The Sentry auth token is still passed through the standard
Authorizationheader for auth with Django.#skip-changelog