Conversation
node-overhead report 🧳Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.
|
So the issue with I think having an agnostic tunnel implementation is worth having, but perhaps we should introduce a One thing to keep in mind is different implementations of the tunnel feature depends heavily on the framework itself, in Next.js it is implemented as simple re-write rules, so we almost don't have any runtime logic for it on the serve-side. cc @Lms24 |
This is not the case because of tree-shaking. We have the If a helper like this ends up in the Node SDK it won't be usable in non-Node based SDKs. |
| // This prevents SSRF attacks where attackers send crafted envelopes | ||
| // with malicious DSNs pointing to arbitrary hosts | ||
| const isAllowed = allowedDsnComponents.some( | ||
| allowed => allowed.host === dsnComponents.host && allowed.projectId === dsnComponents.projectId, |
There was a problem hiding this comment.
I'm not sure it's enough to just check the host matches. We should have a list of allowed DSNs and only forward when they match.
There was a problem hiding this comment.
Yeah the allowedDsnComponents are passed from the outside and they're exactly that - a list of allowed DSNs.
There was a problem hiding this comment.
maybe instead of turning them in components we should pass them as string arrays and do a plain string comparison?
There was a problem hiding this comment.
I kinda like this approach over #14137 because it returns the response to the caller. We need to make sure that the client SDK receives Sentry's response to correctly handle rate limits to avoid backpressure build ups of rate-limited data. This way, the client SDK will apply the rate limits on its end and stop sending stuff to the tunnel endpoint. (Tim, let me know if I misinterpreted your PR and we do in fact handle rate limiting)
I have one request though: Let's split this PR up into the core change that adds the helper and then the Tanstack Start stuff on top. We should also add tests for the core handler alone. I'd recommend we take inspiration from #14137 on the integration test front.
| * No-op stub for client-side builds. | ||
| * The actual implementation is server-only, but this stub is needed to prevent build errors. | ||
| */ | ||
| export function createTunnelHandler( |
There was a problem hiding this comment.
l: is this really the case? Do we have to create stubs from all of our server exports in TSS? (cc @nicohrubec)
| * @returns Promise resolving to status, body, and contentType | ||
| */ | ||
| export async function handleTunnelRequest( | ||
| body: string | Uint8Array, |
There was a problem hiding this comment.
l: I think we should always assume bytes here, to avoid callers accidentally already strinfifying compressed/binary payloads
| body: string | Uint8Array, | |
| body: Uint8Array, |
| */ | ||
| export async function handleTunnelRequest( | ||
| body: string | Uint8Array, | ||
| allowedDsnComponents: Array<DsnComponents>, |
There was a problem hiding this comment.
I'd also refactor this a bit to an options object parameter (for future proofing) and as you suggested, make it accept a list of DSN strings. This should be easier for users to use. For us internally, it should make no difference.
No you're totally right. This is a better approach! I think ideally we also want a wrapper with If we auto setup tunneling to frameworks (like nextjs does) we should use some random ID rather than |
Yup that would be ideal. My thinking was that some frameworks use different kinds of
+1 for the random id but let's be careful about full auto setup. AFAIK, we don't auto enable |
4 participants
Overview
Right now only the Next.js SDK has a built-in tunnel handler on the backend side, but this PR aims to extract the tunnel handling logic in plain JavaScript in
@sentry/core, and provide framework-specific adapters.Framework-specific adapters checklist
Questions for the team
@sentry/corea good home for the framework-agnostic tunnel handler function?TODOs