feat(sentry): add user attribution to all authenticated requests#989
Open
kilo-code-bot[bot] wants to merge 2 commits intomainfrom
Open
feat(sentry): add user attribution to all authenticated requests#989kilo-code-bot[bot] wants to merge 2 commits intomainfrom
kilo-code-bot[bot] wants to merge 2 commits intomainfrom
Conversation
Contributor
Author
Code Review SummaryStatus: No Issues Found | Recommendation: Merge Files Reviewed (2 files)
Reviewed by gpt-5.4-20260305 · 142,689 tokens |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Sentry.setUser()invalidateUserAuthorization()(src/lib/user.server.ts), which is the single success path for all authenticated requests (both tRPC and non-tRPC API routes).id,email(fromgoogle_user_email), andip_address: '{{auto}}'(lets Sentry infer IP from the connection) on every successfully authenticated request's isolation scope.setTag('userId', ...)call in the tRPC context creator, which only covered tRPC routes and only set a tag rather than a first-class Sentry user.src/lib/getUserFromAuth.test.ts) that exercisesgetUserFromAuthend-to-end through mocked dependencies, provingsetUseris called with the correct payload on success and is never called on any failure path.Verification
pnpm typecheckpasses with no errorssrc/lib/getUserFromAuth.test.ts:sets Sentry user on successful JWT authentication— assertssetUser({ id, email, ip_address: '{{auto}}' })does not set Sentry user when authorization header is invaliddoes not set Sentry user when user is blockeddoes not set Sentry user when user is not founddoes not set Sentry user when non-admin requests admin-only routedoes not set Sentry user when no auth is presentVisual Changes
N/A
Reviewer Notes
validateUserAuthorizationis called by both auth paths ingetUserFromAuth: the Authorization-header path (extension/API calls) and the NextAuth session/cookie path (browser). This is the narrowest choke point for setting user context on authenticated requests.google_user_emailis a legacy column name — it stores the user's email regardless of auth provider.ip_address: '{{auto}}'is the Sentry convention for inferring IP from the inbound connection rather than storing it explicitly.setTag('userId', user.id)insrc/lib/trpc/init.ts:23is now redundant (Sentry useridserves the same purpose), but left in place to avoid a behavior change in this PR.@sentry/nextjs,next/headers,next-auth, auth providers, DB, tokens, and PostHog to isolate thegetUserFromAuth→validateUserAuthorization→setUserpath. This is the first test in the codebase that exercises the realgetUserFromAuthfunction body rather than mocking it entirely.