can't finish re-authenticate for superuser.

[xuweixi10]

Self-Hosted Version

24.6.0

CPU Architecture

x86_64

Docker Version

24.0.7

Docker Compose Version

2.23.3

Steps to Reproduce

1. first use sentry as superuser
2. select options
3. enter password

Expected Result

enter sentry home page

Actual Result

nothing happed, and the button is disabled

Event ID

No response

[xuweixi10]

It seems that any two-factor verification pop-up clicks are invalid.

[xuweixi10]

Maybe have bug in follow code?

before i change, the session is always expired

[hubertdeng123]

In the screenshot above, is the button to confirm password completely disabled? This page should only appear after upgrading self-hosted. What version are you coming from?

[xuweixi10]

my version is 24.6.0, after i change the code, it seems like problem is solved, but i don't know it's a correct way. maybe bring other bugs

[hubertdeng123]

Hmmm ok. Do you mind sharing what you changed to fix your problem?

[xuweixi10]

like this on superuser.py

[hubertdeng123]

Ah my bad, I misread this as this is indeed different from what it is today. I'm going to transfer this issue.

In specific, this line is changed. https://github.com/getsentry/sentry/blob/0b8851caff0c82845ae261d95b44bc284ea78f03/src/sentry/auth/superuser.py#L383

[getsantry[bot]]

Assigning to @getsentry/support for routing ⏲️

[getsantry[bot]]

Routing to @getsentry/product-owners-settings-auth for triage ⏲️

[schew2381]

Those lines for setting the expiration and idle time have not changed at all. My best guess is the problem is somehow related to how we're verifying the superuser session.

@xuweixi10 could you possibly take a look at where we're validating the session expiration time below, and check what the value is when using the existing code vs your fix? https://github.com/getsentry/sentry/blob/ba3a4de019399cfaf1707bb2ea73bec690d56bf2/src/sentry/auth/superuser.py#L310-L325

[xuweixi10]

after i add log blow,

        logger.info(
            "superuser.logged-in",
            extra={
                "exp": self.expires.strftime("%s"),
                "idl": (current_datetime + IDLE_MAX_AGE).strftime("%s"),
            },
        )
        self.request.session[SESSION_KEY] = {
            "exp": self.expires.strftime("%s"),
            "idl": (current_datetime + IDLE_MAX_AGE).strftime("%s"),
            "tok": self.token,
            # XXX(dcramer): do we really need the uid safety mechanism
            "uid": self.uid,
        }

when i login as superuser

09:57:51 [INFO] sentry.superuser: superuser.needs-validation (DISABLE_SU_FORM_U2F_CHECK_FOR_LOCAL=False self_hosted=True)
09:57:51 [INFO] sentry.superuser: superuser.logged-in (exp='1722059871' idl='1722046371')
09:57:51 [INFO] sentry.superuser: superuser.logged-in (ip_address='157.10.105.33' user_id=1)
09:57:51 [INFO] sentry.access.api: api.access (method='PUT' view='sentry.api.endpoints.auth_index.AuthIndexEndpoint' response=200 user_id='1' is_app='None' token_type='None' is_frontend_request='True' organization_id='None' auth_id='None' path='/api/0/auth/' caller_ip='157.10.105.33' user_agent='Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36' rate_limited='False' rate_limit_category='None' request_duration_seconds=0.2741873264312744 rate_limit_type='DNE' concurrent_limit='None' concurrent_requests='None' reset_time='None' group='None' limit='None' remaining='None')
09:57:51 [INFO] sentry.superuser: superuser.session-expired (ip_address='157.10.105.33' user_id=1)
09:57:51 [INFO] sentry.superuser: superuser.session-expired (ip_address='157.10.105.33' user_id=1)
09:57:51 [INFO] sentry.superuser: superuser.session-expired (ip_address='157.10.105.33' user_id=1)
09:57:51 [WARNING] django.request: Forbidden: /api/0/internal/stats/ (status_code=403 request=<WSGIRequest: GET '/api/0/internal/stats/?key=events.total&resolution=1h&since=1721469471.309'>)
09:57:51 [INFO] sentry.superuser: superuser.session-expired (ip_address='157.10.105.33' user_id=1)
09:57:51 [INFO] sentry.superuser: superuser.session-expired (ip_address='157.10.105.33' user_id=1)

I login as super user then immediately expired i think maybe the timezone problem, i can see some places still use non-UTC time

[xuweixi10]

Fine, the reason is my docker timezone is not UTC.after i change to UTC everything is ok