search

getsentry / sentry

Developer-first error tracking and performance monitoring
https://sentry.io
Other
38.62k stars 4.13k forks source link

GET /api/0/organizations returns `200 OK - []` #49335

Closed cdelst closed 1 year ago

cdelst commented 1 year ago

Environment

SaaS (https://sentry.io/)

Steps to Reproduce

  1. Get a valid token (I can validate that it is in fact valid, because other endpoints I am hitting (projects, for example) is working correctly.)
  2. Query GET https://launchdarkly-ecosystem.sentry.io/api/0/organizations/
  3. See 200 OK response with empty array body.

I have also tried using the non self-hosted URL as well.

Here's a screenshot of the integration permissions I'm using that generates the token:

image

Expected Result

I expect the organizations endpoint to return the organizations in our account.

Actual Result

200 OK - []

image

Proof that I do in fact have an organization (I don't think you can not have one?)

image

Product Area

Other

Link

No response

DSN

No response

Version

No response

getsantry[bot] commented 1 year ago

Assigning to @getsentry/support for routing, due by (sfo). ⏲️

getsantry[bot] commented 1 year ago

Routing to @getsentry/product-owners-settings for triage, due by (sfo). ⏲️

Dhrumil-Sentry commented 1 year ago

@leedongwei can this API be used using Integration tokens or does it need a user's auth token?

cdelst commented 1 year ago

Adding a bit more context, the token I am using is being generated by an Oauth flow from a public integration.

I suspect that the line in the docs: “available to the authenticated session” is probably the culprit here.

cdelst commented 1 year ago

Any update on investigation here? cc @Dhrumil-Sentry @leedongwei

Dhrumil-Sentry commented 1 year ago

@cdelst I'll let @leedongwei confirm this but I suspect that this particular API endpoint can only be invoked by a user token. The integration token you are using is tied to a specific org and it won't be able to list other organizations your user account has access too.

Is there any particular use case for which you need this list of orgs?

cdelst commented 1 year ago

@Dhrumil-Sentry The exact use case we need is to be able to list all environments and projects in a given org, without knowing the org name/key (as that is not provided in the integration handshake as far as I can tell).

The list organizations endpoint is a roundabout way of getting that, but we did not find another endpoint that could satisfy that requirement.

AniketDas-Tekky commented 1 year ago

I'm assuming you're looking for projects and environments in your own organization. In which case the APIs would be: /api/0/organizations/launchdarkly-ecosystem/projects/ - all projects /api/0/organizations/launchdarkly-ecosystem/environments/ - all environments

The subdomain in the URL (in your case launchdarkly-ecosystem) is your organization key.

cdelst commented 1 year ago

@AniketDas-Tekky Unfortunately, we need the projects and environments of our integration consumer, to provide them a setup experience on our end mapping our (LaunchDarkly's) environments and projects to the customer's Sentry projects and environments.

cdelst commented 1 year ago

Looking at the permissions of the integration, it feels like this should be possible when the Organization permission is set to read: image

AniketDas-Tekky commented 1 year ago

Integration tokens only work in the owner organization's domain. This would be like having a special user who is only in the LaunchDarkly organization trying to access another organization. Your consumer would need to provide their token in order for you to read their organization's information.

cdelst commented 1 year ago

@AniketDas-Tekky I could be confused here, so sorry in advance, but I thought the point of going through the authentication flow, and getting a token out of it was that that token had access to our integration consumer's information. It's fine if that token is scoped to an organization, but we need some way of getting information about that organization with the information that's provided to us through the integration handshake.

Are there any other approaches you'd recommend here? Or is it simply not possible? Being able to retrieve only the customer's projects using our token would be a bit unfortunate.

cdelst commented 1 year ago

Additionally, it might make more sense to not return a 200 - OK when a token does not have access to any organization information if that is indeed the expected behavior for all integration tokens.

Dhrumil-Sentry commented 1 year ago

@Dhrumil-Sentry The exact use case we need is to be able to list all environments and projects in a given org, without knowing the org name/key (as that is not provided in the integration handshake as far as I can tell).

The list organizations endpoint is a roundabout way of getting that, but we did not find another endpoint that could satisfy that requirement.

@cdelst - You do get the org-slug. Pleas have a look at the installation webhooks response here

You would need to store a mapping of org-slugs and auth tokens if you wish to invoke the APIs you need.

cdelst commented 1 year ago

Thanks @Dhrumil-Sentry. I missed that. Thanks for both of your help.