Skip to content

Commit 87df077

Browse files
oiokiMichaelSun48
authored andcommitted
feat(sentry-apps): hide clientSecret in 1 day after creation (#69289)
Follow-up on #69015 #69115
1 parent ce6f54f commit 87df077

File tree

3 files changed

+29
-4
lines changed

3 files changed

+29
-4
lines changed

src/sentry/api/serializers/models/apiapplication.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,11 +9,11 @@
99
@register(ApiApplication)
1010
class ApiApplicationSerializer(Serializer):
1111
def serialize(self, obj, attrs, user):
12-
has_secret = obj.date_added > timezone.now() - timedelta(days=1)
12+
is_secret_visible = obj.date_added > timezone.now() - timedelta(days=1)
1313
return {
1414
"id": obj.client_id,
1515
"clientID": obj.client_id,
16-
"clientSecret": obj.client_secret if has_secret else None,
16+
"clientSecret": obj.client_secret if is_secret_visible else None,
1717
"name": obj.name,
1818
"homepageUrl": obj.homepage_url,
1919
"privacyUrl": obj.privacy_url,

src/sentry/api/serializers/models/sentry_app.py

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,9 @@
11
from collections.abc import Mapping
2+
from datetime import timedelta
23
from typing import Any
34

5+
from django.utils import timezone
6+
47
from sentry.api.serializers import Serializer, register, serialize
58
from sentry.app import env
69
from sentry.auth.staff import is_active_staff
@@ -91,13 +94,14 @@ def serialize(self, obj, attrs, user, access):
9194
is_active_superuser(env.request) or is_active_staff(env.request)
9295
)
9396
if elevated_user or owner.id in user_org_ids:
97+
is_secret_visible = obj.date_added > timezone.now() - timedelta(days=1)
9498
client_secret = (
9599
obj.application.client_secret if obj.show_auth_info(access) else MASKED_VALUE
96100
)
97101
data.update(
98102
{
99103
"clientId": obj.application.client_id,
100-
"clientSecret": client_secret,
104+
"clientSecret": client_secret if is_secret_visible else None,
101105
"owner": {"id": owner.id, "slug": owner.slug},
102106
}
103107
)

tests/sentry/api/serializers/test_sentry_app.py

Lines changed: 22 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,12 @@
1+
from datetime import datetime, timedelta
2+
13
from sentry.api.serializers import serialize
24
from sentry.api.serializers.models.sentry_app import SentryAppSerializer
5+
from sentry.auth import access
36
from sentry.models.avatars.sentry_app_avatar import SentryAppAvatar
47
from sentry.testutils.cases import TestCase
5-
from sentry.testutils.silo import control_silo_test
8+
from sentry.testutils.helpers.datetime import freeze_time
9+
from sentry.testutils.silo import control_silo_test, no_silo_test
610

711

812
@control_silo_test
@@ -59,3 +63,20 @@ def test_with_avatar(self):
5963
assert result["avatars"][0]["avatarUuid"] == "abc123"
6064
assert result["avatars"][0]["avatarType"] == "upload"
6165
assert result["avatars"][0]["avatarUrl"] == "http://testserver/sentry-app-avatar/abc123/"
66+
67+
68+
@no_silo_test
69+
class SentryAppHiddenClientSecretSerializerTest(TestCase):
70+
def test_hidden_client_secret(self):
71+
sentry_app = self.create_sentry_app(
72+
name="Tesla App", organization=self.organization, published=True, scopes=("org:write",)
73+
)
74+
75+
acc = access.from_user(self.user, self.organization)
76+
result = serialize(sentry_app, self.user, SentryAppSerializer(), access=acc)
77+
assert result["clientSecret"] is not None
78+
79+
now = datetime.now()
80+
with freeze_time(now + timedelta(hours=25)):
81+
result = serialize(sentry_app, self.user, SentryAppSerializer(), access=acc)
82+
assert result["clientSecret"] is None

0 commit comments

Comments
 (0)