feat(server): Add X-Os-Auth as alternative auth header#422
Merged
Conversation
…entication Requests proxied through Django (client -> Django -> objectstore) use the standard Authorization header for Django auth. To support objectstore auth in that setup, we introduce a dedicated X-Objectstore-Auth header. The server checks it first and falls back to Authorization for backwards compatibility. Both clients now send the new header.
Semver Impact of This PR🟡 Minor (new features) 📋 Changelog PreviewThis is how your changes will appear in the changelog. New Features ✨
Internal Changes 🔧
🤖 This preview updates automatically when you update the PR. |
lcian
commented
Apr 8, 2026
jan-auer
approved these changes
Apr 8, 2026
Member
jan-auer
left a comment
jan-auer
left a comment
There was a problem hiding this comment.
LGTM, thanks!
Two optional thoughts:
- I think going with
x-os-authis a good option, because we've been considering to consolidate built-in headers tox-os-*already. It's arguable that this one is not metadata of an object and still shares the same prefix, in my opinion. - Should we leave the "default" header as
Authorization? That's a standard header, so I would expect it to work with less friction.
Member
Author
let mut builder = ClientBuilder::new(options.objectstore.url);
if let Some(token) = options.objectstore.auth_token {
builder = builder.token(token);
}
let client = builder
.configure_reqwest(|r| {
let mut headers = http::HeaderMap::new();
headers.insert(http::header::AUTHORIZATION, sentry_token);
})
.build()?;Otherwise, you would need to set both via |
lcian
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Requests proxied through Django need the standard
Authorizationheader for Django auth, at least until we enable and enforce auth everywhere. That header clashes with objectstore's own JWT auth.This PR introduces a dedicated
X-Os-Authheader (mirroring Relay'sX-Sentry-Authconvention):X-Os-Authfirst, falls back toAuthorizationfor backwards compatibilityX-Os-Authinstead ofAuthorizationX-Os-Authinstead ofAuthorizationWe use the
X-Sn-<key>prefix for other headers (such as object metadata), so this newX-Osprefix is not consistent with it.Still, I thought it would make sense to explicitly prefix this with
X-Osto make it immediately clear what it's for (when e.g. looking at traces in Sentry) and to avoid any clashes thatX-Sn-Authorizationcould cause, now or in the future.A separate task, out of scope for this PR, would be to change metadata to also use
X-Osas prefix, which will need a migration period where we double read before all clients are updated.