feat(sentry-apps): hide clientSecret in 1 day after creation (#69289)

Follow-up on #69015
#69115

Author: oioki

src/sentry/api/serializers/models/apiapplication.py

@@ -9,11 +9,11 @@
 @register(ApiApplication)
 class ApiApplicationSerializer(Serializer):
     def serialize(self, obj, attrs, user):
-        has_secret = obj.date_added > timezone.now() - timedelta(days=1)
+        is_secret_visible = obj.date_added > timezone.now() - timedelta(days=1)
         return {
             "id": obj.client_id,
             "clientID": obj.client_id,
-            "clientSecret": obj.client_secret if has_secret else None,
+            "clientSecret": obj.client_secret if is_secret_visible else None,
             "name": obj.name,
             "homepageUrl": obj.homepage_url,
             "privacyUrl": obj.privacy_url,

src/sentry/api/serializers/models/sentry_app.py

@@ -1,6 +1,9 @@
 from collections.abc import Mapping
+from datetime import timedelta
 from typing import Any
 
+from django.utils import timezone
+
 from sentry.api.serializers import Serializer, register, serialize
 from sentry.app import env
 from sentry.auth.staff import is_active_staff
@@ -91,13 +94,14 @@ def serialize(self, obj, attrs, user, access):
                 is_active_superuser(env.request) or is_active_staff(env.request)
             )
             if elevated_user or owner.id in user_org_ids:
+                is_secret_visible = obj.date_added > timezone.now() - timedelta(days=1)
                 client_secret = (
                     obj.application.client_secret if obj.show_auth_info(access) else MASKED_VALUE
                 )
                 data.update(
                     {
                         "clientId": obj.application.client_id,
-                        "clientSecret": client_secret,
+                        "clientSecret": client_secret if is_secret_visible else None,
                         "owner": {"id": owner.id, "slug": owner.slug},
                     }
                 )

tests/sentry/api/serializers/test_sentry_app.py

@@ -1,8 +1,12 @@
+from datetime import datetime, timedelta
+
 from sentry.api.serializers import serialize
 from sentry.api.serializers.models.sentry_app import SentryAppSerializer
+from sentry.auth import access
 from sentry.models.avatars.sentry_app_avatar import SentryAppAvatar
 from sentry.testutils.cases import TestCase
-from sentry.testutils.silo import control_silo_test
+from sentry.testutils.helpers.datetime import freeze_time
+from sentry.testutils.silo import control_silo_test, no_silo_test
 
 
 @control_silo_test
@@ -59,3 +63,20 @@ def test_with_avatar(self):
         assert result["avatars"][0]["avatarUuid"] == "abc123"
         assert result["avatars"][0]["avatarType"] == "upload"
         assert result["avatars"][0]["avatarUrl"] == "http://testserver/sentry-app-avatar/abc123/"
+
+
+@no_silo_test
+class SentryAppHiddenClientSecretSerializerTest(TestCase):
+    def test_hidden_client_secret(self):
+        sentry_app = self.create_sentry_app(
+            name="Tesla App", organization=self.organization, published=True, scopes=("org:write",)
+        )
+
+        acc = access.from_user(self.user, self.organization)
+        result = serialize(sentry_app, self.user, SentryAppSerializer(), access=acc)
+        assert result["clientSecret"] is not None
+
+        now = datetime.now()
+        with freeze_time(now + timedelta(hours=25)):
+            result = serialize(sentry_app, self.user, SentryAppSerializer(), access=acc)
+            assert result["clientSecret"] is None