Conversation
Read the auth token from the `X-Os-Auth` query parameter as a fallback between the `X-Os-Auth` header and the `Authorization` header. The query parameter value is the raw JWT without a `Bearer` prefix, useful for contexts where headers cannot be set (e.g. browser-initiated requests). Precedence: X-Os-Auth header > X-Os-Auth query param > Authorization header.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 5316ff6. Configure here.
| .and_then(|v| v.to_str().ok()) | ||
| .and_then(strip_bearer); | ||
| .and_then(strip_bearer) | ||
| .or_else(|| extract_query_param_value(parts.uri.query(), OBJECTSTORE_AUTH_QUERY_PARAM)) |
There was a problem hiding this comment.
Auth token in query string leaks to logs/traces
Medium Severity
Passing the JWT via the X-Os-Auth query parameter means the token will appear in tracing spans and Sentry transactions. The existing make_http_span function records uri = %request.uri() which includes the full query string, and SentryHttpLayer with enable_transaction() also captures request URIs. Unlike headers, which are not included in these spans, query-parameter tokens will be persisted in logs and Sentry. The codebase already redacts sensitive values elsewhere (e.g., DecodingKey debug output, config secrets), but no scrubbing exists for URIs.
Reviewed by Cursor Bugbot for commit 5316ff6. Configure here.
There was a problem hiding this comment.
I think this is okay? These tokens have a max validity anyways.
1 participant
This change is needed for getsentry/sentry#113030.
It allows frontend pages that use standard image components to slap
?X-Os-Auth=<token>to the URLs they retrieve images from, as opposed to needing custom logic to add it as a header whenever the image is known to be stored in Objectstore.This is the final piece of the puzzle that will allow us to enable auth enforcement and unblock Emerge for EA of Snapshots.
The proper solution would be pre-signed URLs, but that needs design and is significantly more complex. We don't want that to be a blocker for Snapshots.
Moreover, only the frontend will use this way of authenticating, so we can always change it relatively easily.
The only thing we cannot change is old versions of CLI. CLI currently fetches a token from the backend and puts it in the
X-Os-Authheader. Now that's a JWT, but in the future it could be something else, we just need to change the semantics of what we return from the backend.