fix(auth): Include state in authentication requests #743
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes the authentication payloads so that Sentry can authenticate without keeping state between the request and response API calls. This fixes a range of issues with the former authentication system.
Issues
Changes
This change introduces
RegisterState
, a data container that is signed with a secret by the upstream. As it contains the public key and a timestamp, it ensures that the downstream cannot tamper with the state or use another Relay's token. Since the public key of the state is also used to verify the Relay request signature, the upstream can rely on the state without keeping caches. By encoding the state into thetoken
, the HTTP API remains backwards compatible.In addition to this, the default challenge TTL has been reduced from 15 minutes to 60 seconds.
Release
This change contains breaking changes to the Python API and requires a minor bump of the
sentry_relay
library. It is backwards compatible on the HTTP API. After updating in Sentry, old Relays will also use the new authentication system.Deployment
This change can be deployed independently to Sentry and Relay in no particular order. Updating the library in Sentry will require code changes.
There is a minimal potential for breakage if Relays are authenticating while Sentry is being deployed. However, Relays will retry on authentication failure and as such, the condition resolves automatically as soon as the deployment finishes.