sentry-react-native icon indicating copy to clipboard operation
sentry-react-native copied to clipboard
verified publisher icon getsentry

Read sentry token from environment variable (SENTRY_AUTH_TOKEN)

Open LonelyCpp opened this issue 1 year ago • 5 comments

Current behaviour

The android script only reads the auth token from sentry.properties However this file is usually checked into git, making the auth key vulnerable.

https://github.com/getsentry/sentry-react-native/blob/7335e6ef8c0eb8aea2418e15feb770818bc4e587/sentry.gradle#L186

Error logs :

Execution failed for task ':app:createBundleInternalReleaseJsAndAssets_SentryUpload_com.xxx.android@6.31.0-internal+1157_1157'.
> Illegal null value provided in this collection: [--log-level, debug, --url, https://sentry-dev.xxx.com/, --auth-token, null, react-native, gradle, --bundle, /Users/vagrant/git/android/app/build/generated/assets/createBundleInternalReleaseJsAndAssets/index.android.bundle, --sourcemap, /Users/vagrant/git/android/app/build/generated/sourcemaps/react/internalRelease/index.android.bundle.map, --org, xxx, --project, xxx, --release, [email protected]+1157, --dist, 1157]

Expected

Android and iOS source upload scripts must respect the SENTRY_AUTH_TOKEN if present

This enables us to keep the auth token as a secret in our CI environments.

note: it looks like iOS does read from the environment variable, but I couldn't confirm it in source code. It would be helpful if the maintainers could point out where this happens

related issue : https://github.com/getsentry/sentry-react-native/issues/1888 (But does not work)

LonelyCpp avatar May 01 '24 12:05 LonelyCpp

Hi @LonelyCpp, thank you for the message, the SENTRY_AUTH_TOKEN is not read in combination with the flavorAware which you are using.

In all other cases the SENTRY_AUTH_TOKEN env is read in the sentry-cli directly. https://github.com/getsentry/sentry-cli/blob/2be24a428e5b8c1102e96919b512d431ba475a08/src/config.rs#L672

I also looks like is a bug to me.

krystofwoldrich avatar May 02 '24 15:05 krystofwoldrich

Internal Note: (mention in release) This could be potentially breaking for users expecting the token from the sentry.properties to be used.

krystofwoldrich avatar May 03 '24 12:05 krystofwoldrich

perhaps the gradle script should allow null values to be sent for the key field.

This would make the cli reads from env and would not affect users who have the token in sentry.properties - backward compatible!

LonelyCpp avatar May 03 '24 19:05 LonelyCpp

@LonelyCpp Thank you, yes we should think about the sentry.properties the same as flag of the sentry-cli when value is missing we try to read it from the env.

krystofwoldrich avatar May 06 '24 17:05 krystofwoldrich

any update on this?

psbdgr8 avatar May 08 '24 07:05 psbdgr8