-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
api: add auth test endpoint #70827
api: add auth test endpoint #70827
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there a missing file?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❤️
Yep there sure was. I misnamed some files. Fixed now. :) |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #70827 +/- ##
==========================================
- Coverage 80.03% 80.03% -0.01%
==========================================
Files 6504 6506 +2
Lines 290752 290792 +40
Branches 50115 50120 +5
==========================================
+ Hits 232693 232724 +31
- Misses 57622 57631 +9
Partials 437 437
|
🚨 Warning: This pull request contains Frontend and Backend changes! It's discouraged to make changes to Sentry's Frontend and Backend in a single pull request. The Frontend and Backend are not atomically deployed. If the changes are interdependent of each other, they must be separated into two pull requests and be made forward or backwards compatible, such that the Backend or Frontend can be safely deployed independently. Have questions? Please ask in the |
A really basic API endpoint for secret scanners to use to test authentication mechanisms.
b18b837
to
aafbd81
Compare
@JoshFerge discovered that we were seeing measurable amounts of TruffleHog requests hitting our project index endpoint. It's suspected this would cause a non-trivial amount of load on the backend datastores. At one point, we had 220k requests logged in a single minute from the TruffleHog user agent... The vast majority were rate-limited however.
This PR creates a really basic endpoint that returns a 200 if you are successfully authenticated with a user auth token, org auth token, or a session. If you're not authenticated, we'll return a 403. The endpoint specifically avoids pulling data about the User and returns no body.
The rate limit is quite high, but I did use a bit of math to find the median/average of requests per minute per IP using the TruffleHog user agent over the past 24 hours. It peaked around 10.5k requests (with about 8k of those rate rate limited). The average and median is right around 1,100-1,300 requests/min for those that weren't rate limited (including rate limited requests, it's closer to 4.7k/min).
The hope with this endpoint is to move these scanning tools that attempt to perform verification of the secret. This gives them an option to use something less impactful and to be good stewards of the service. 🙂 We can also encourage them to honor our rate limiting headers and backoff on the requests.