Skip to content

Commit

Permalink
fix(expo): Ensure authToken is not written to application package (#3630
Browse files Browse the repository at this point in the history
)

Co-authored-by: Karl Heinz Struggl <[email protected]>
  • Loading branch information
krystofwoldrich and kahest committed Feb 26, 2024
1 parent 4200779 commit 9148964
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 7 deletions.
10 changes: 10 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,15 @@
# Changelog

## Unreleased

### Fixes

- Don't add Expo Plugin option `authToken` to application bundle ([#3630](https://github.com/getsentry/sentry-react-native/pull/3630))
- Expo plugin configurations are generelly stored in plain text, and are also automatically added to built app bundles, and are therefore considered insecure.
- You should not set the auth token in the plugin config except for local testing. Instead, use the `SENTRY_AUTH_TOKEN` env variable, as pointed out in our [docs](https://docs.sentry.io/platforms/react-native/manual-setup/expo/).
- In addition to showing a warning, we are now actively removing an `authToken` from the plugin config if it was set.
- If you had set the auth token in the plugin config previously, **and** built and published an app with that config, you should [rotate your token](https://docs.sentry.io/product/accounts/auth-tokens/).

## 5.19.0

This release contains upgrade of `sentry-android` dependency to major version 7. There are no breaking changes in the JS API. If you are using the Android API please check [the migration guide](https://docs.sentry.io/platforms/android/migration/#migrating-from-iosentrysentry-android-6x-to-iosentrysentry-android-700).
Expand Down
17 changes: 10 additions & 7 deletions plugin/src/withSentry.ts
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,12 @@ interface PluginProps {

const withSentryPlugin: ConfigPlugin<PluginProps | void> = (config, props) => {
const sentryProperties = getSentryProperties(props);

if (props && props.authToken) {
// If not removed, the plugin config with the authToken will be written to the application package
delete props.authToken;
}

let cfg = config;
if (sentryProperties !== null) {
try {
Expand All @@ -33,12 +39,14 @@ const withSentryPlugin: ConfigPlugin<PluginProps | void> = (config, props) => {
);
}
}

return cfg;
};

const missingAuthTokenMessage = '# auth.token is configured through SENTRY_AUTH_TOKEN environment variable';
const missingProjectMessage = '# no project found, falling back to SENTRY_PROJECT environment variable';
const missingOrgMessage = '# no org found, falling back to SENTRY_ORG environment variable';
const existingAuthTokenMessage = `# DO NOT COMMIT the auth token, use SENTRY_AUTH_TOKEN instead, see https://docs.sentry.io/platforms/react-native/manual-setup/`;
const missingAuthTokenMessage = `# Using SENTRY_AUTH_TOKEN environment variable`;

export function getSentryProperties(props: PluginProps | void): string | null {
const { organization, project, authToken, url = 'https://sentry.io/' } = props ?? {};
Expand All @@ -56,12 +64,7 @@ export function getSentryProperties(props: PluginProps | void): string | null {
return `defaults.url=${url}
${organization ? `defaults.org=${organization}` : missingOrgMessage}
${project ? `defaults.project=${project}` : missingProjectMessage}
${
authToken
? `# Configure this value through \`SENTRY_AUTH_TOKEN\` environment variable instead. See: https://docs.sentry.io/platforms/react-native/manual-setup/\nauth.token=${authToken}`
: missingAuthTokenMessage
}
`;
${authToken ? `${existingAuthTokenMessage}\nauth.token=${authToken}` : missingAuthTokenMessage}`;
}

// eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
Expand Down

0 comments on commit 9148964

Please sign in to comment.