sentry-react-native icon indicating copy to clipboard operation
sentry-react-native copied to clipboard
verified publisher icon getsentry

[Docs issue] Need guidance on how securely to treat Sentry auth token (should it go in source control?)

Open lukewlms opened this issue 5 years ago • 4 comments

By default, the Sentry auth token is added to source control in multiple ways:

  • ./ios/sentry.properties and ./android/sentry.properties
  • In our case, added to fastfile in the upload_symbols_to_sentry step

The docs don't specify if the auth token should be treated more securely than the URL-esque key used in source code (which we put in an .ENV file although it will of course ship in the client).

It doesn't look like the CLI can do anything too destructive - only add, not delete, as far as I can see on a quick skim. So perhaps it's ok to have this auth token in source control.

But it would be I think valuable to have an explicit instruction both in the setup steps, and at this URL: https://sentry.io/settings/account/api/auth-tokens/ (That page also does not appear to give any guidance on how to treat this auth token.)

That way we'll all know what the best security practice is for these tokens.

Thanks for taking a look!

lukewlms avatar Sep 21 '20 23:09 lukewlms

Hmm I agree, the auth token should not be included in source-control. Thanks for the suggestion and I will get on this.

jennmueng avatar Sep 24 '20 07:09 jennmueng

This issue has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you label it Status: Backlog or Status: In Progress, I will leave it alone ... forever!

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

github-actions[bot] avatar Nov 04 '21 15:11 github-actions[bot]

we'll discuss that internally if we have to document the optimal approach for this but I'd say this is App's responsibility to secure its own token, this is sensitive information and should be treated as such, not checking into source control, etc. an idea is to remove the token from files and set as SENTRY_AUTH_TOKEN env. var. when running releases

marandaneto avatar Nov 12 '21 09:11 marandaneto

We'll document that this is sensitive information and should not be publicly available.

marandaneto avatar Jan 19 '22 15:01 marandaneto

In case this is useful for anyone else coming across the issue, this has since been discussed here as well — https://github.com/getsentry/sentry-react-native/discussions/2618

darrylyoung avatar Nov 17 '22 15:11 darrylyoung