diff --git a/CHANGELOG.md b/CHANGELOG.md index 9696bf73b..28baa38dd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,11 @@ ### Fixes - Option `enabled: false` ensures no events are sent ([#3606](https://github.com/getsentry/sentry-react-native/pull/3606)) +- Don't add Expo Plugin option `authToken` to application bundle ([#3630](https://github.com/getsentry/sentry-react-native/pull/3630)) + - Expo plugin configurations are generelly stored in plain text, and are also automatically added to built app bundles, and are therefore considered insecure. + - You should not set the auth token in the plugin config except for local testing. Instead, use the `SENTRY_AUTH_TOKEN` env variable, as pointed out in our [docs](https://docs.sentry.io/platforms/react-native/manual-setup/expo/). + - In addition to showing a warning, we are now actively removing an `authToken` from the plugin config if it was set. + - If you had set the auth token in the plugin config previously, **and** built and published an app with that config, you should [rotate your token](https://docs.sentry.io/product/accounts/auth-tokens/). - Ignore JSON response when retrieving source context from local Expo Dev Server ([#3611](https://github.com/getsentry/sentry-react-native/pull/3611)) ### Dependencies diff --git a/plugin/src/withSentry.ts b/plugin/src/withSentry.ts index f1a4022fd..acf6ff4d6 100644 --- a/plugin/src/withSentry.ts +++ b/plugin/src/withSentry.ts @@ -14,6 +14,12 @@ interface PluginProps { const withSentryPlugin: ConfigPlugin = (config, props) => { const sentryProperties = getSentryProperties(props); + + if (props && props.authToken) { + // If not removed, the plugin config with the authToken will be written to the application package + delete props.authToken; + } + let cfg = config; if (sentryProperties !== null) { try { @@ -33,12 +39,14 @@ const withSentryPlugin: ConfigPlugin = (config, props) => { ); } } + return cfg; }; -const missingAuthTokenMessage = '# auth.token is configured through SENTRY_AUTH_TOKEN environment variable'; const missingProjectMessage = '# no project found, falling back to SENTRY_PROJECT environment variable'; const missingOrgMessage = '# no org found, falling back to SENTRY_ORG environment variable'; +const existingAuthTokenMessage = `# DO NOT COMMIT the auth token, use SENTRY_AUTH_TOKEN instead, see https://docs.sentry.io/platforms/react-native/manual-setup/`; +const missingAuthTokenMessage = `# Using SENTRY_AUTH_TOKEN environment variable`; export function getSentryProperties(props: PluginProps | void): string | null { const { organization, project, authToken, url = 'https://sentry.io/' } = props ?? {}; @@ -56,12 +64,7 @@ export function getSentryProperties(props: PluginProps | void): string | null { return `defaults.url=${url} ${organization ? `defaults.org=${organization}` : missingOrgMessage} ${project ? `defaults.project=${project}` : missingProjectMessage} -${ - authToken - ? `# Configure this value through \`SENTRY_AUTH_TOKEN\` environment variable instead. See: https://docs.sentry.io/platforms/react-native/manual-setup/\nauth.token=${authToken}` - : missingAuthTokenMessage -} -`; +${authToken ? `${existingAuthTokenMessage}\nauth.token=${authToken}` : missingAuthTokenMessage}`; } // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access