Project: Org Auth Tokens

[smeubank]

Project Board

See our project board to track this initiative across all SDKs

Description

A crucial step for any project on any platform is the creation of releases and uploading of release artefacts (e.g. source maps) is integrated into a project's CI/CD pipeline. In order to do so, users can chose from a variety of Sentry tools:

• Sentry CLI
• Webpack
• TypeScript (tsc)
• Rollup
• Vite
• esbuild
• UglifyJS
• SystemJS

But of course, they all have to authenticate, which is a process worth of improvement atm.

Current option 1: User based auth tokens 😬

In order to setup those tool, we currently ask users to issue a user-based auth token. This has some negative side effects, as the token may not work anymore (and therefore the entire reporting to Sentry) when that user leaves the organisation.

Example from a Sentry CLI docs page:

Current option 2: Internal integrations 🫢

In theory, there is also the option to create an Internal Integration - which as the name suggests, leaves many users wondering if this is the right way to setup organisation (or project-based) authentication/authorisation. Also, integrations weren't initially thought to fulfil this purpose. Besides that - creating a new integration is only possible with a certain level of user account privileges. In a bigger organisation with several development teams and projects, relying on an Owner or Manager of the org may not result in a frictionless user experience.

Solution: Org based auth tokens 😍

We're going to build a new form of auth tokens, which will be org-based but accessible to all members of an organisation. This will help our users setup their CI / build tool integration in an easy yet sustainable way. Because we're also using another token format additional benefits will become apparent. We'll encoding sentry_site and sentry_org in the token, so users will no longer have to add these to their configuration. On top of that, we'll add the prefix sntrys_ to all new tokens, so that they can be monitored for leakage into version control.

MVP

In our MVP we'll focus on building the new auth token system and use it in our sentry-cli package, this also means that all bundler plugins (from the list above) will use it in the background. Of course updating all related documentation in sentry-docs is also part of this.

See the list below for everything that's part of our MVP:

### In General
- [x] Consolidate all GitHub Issues into this issue
- [x] Revisit the RFC and make sure all guidelines are respected (https://github.com/getsentry/rfcs/blob/feature/upload-tokens/text/0091-ci-upload-tokens.md)
- [x] Clarify `sentry_site` vs. `sentry_url` -> use `sentry_site`
- [x] https://github.com/getsentry/sentry/issues/50926
- [ ] https://github.com/getsentry/sentry/issues/50927
- [ ] https://github.com/getsentry/team-webplatform-meta/issues/91

### sentry
- [ ] https://github.com/getsentry/sentry/issues/50140
- [x] Post-launch: Add note to user based auth tokens to reference org based auth tokens
- [x] Token overview page: show tokens sorted by their last used date

### sentry-cli (after GA)
- [ ] https://github.com/getsentry/sentry-cli/issues/1732
- [x] Update docs on https://docs.sentry.io/product/cli/configuration/
- [x] Update docs on https://docs.sentry.io/platforms/javascript/sourcemaps/uploading/cli/
- [x] Update docs on https://docs.sentry.io/platforms/javascript/sourcemaps/uploading/typescript/
- [x] Update docs on https://docs.sentry.io/platforms/javascript/sourcemaps/uploading/uglifyjs/
- [x] Update docs on https://docs.sentry.io/platforms/javascript/sourcemaps/uploading/systemjs/
- [x] Todo: Find other docs
- [ ] https://github.com/getsentry/sentry-cli/issues/1669

### sentry-javascript-bundler-plugins
- [x] Draft: Adapt `sentry-cli login` changes to all bundler plugins
- [x] Update docs on https://docs.sentry.io/platforms/javascript/sourcemaps/uploading/webpack/
- [x] Update docs on https://docs.sentry.io/platforms/javascript/sourcemaps/uploading/rollup/
- [x] Update docs on https://docs.sentry.io/platforms/javascript/sourcemaps/uploading/vite/
- [x] Update docs on https://docs.sentry.io/platforms/javascript/sourcemaps/uploading/esbuild/
- [x] Todo: Find other docs

### sentry-docs
- [x] Draft: Provide a button to issue a new CI/CD token and display it only once - https://github.com/getsentry/sentry-docs/issues/7226
- [x] [Procuct page for Org Auth Tokens](https://github.com/getsentry/sentry-docs/pull/7834)

### other docs
- [x] Update docs on https://www.npmjs.com/package/@sentry/webpack-plugin
- [x] Update docs on https://www.npmjs.com/package/@sentry/rollup-plugin
- [x] Update docs on https://www.npmjs.com/package/@sentry/vite-plugin
- [x] Update docs on https://www.npmjs.com/package/@sentry/esbuild-plugin
- [x] Todo: Find other docs

To finish our MVP, we have to make sure to fulfil the following acceptance criteria:

### Acceptance Criteria
- [x] All members of an organisation should be allowed to issue org based tokens, only some scopes may be reserved for higher privileged users
- [x] Org based tokens can be (re)labeled by users, but we offer a generated label per default
- [x] When generating a token label for users, the context and date of creation is taken into consideration
- [x] Org based tokens have a prefix that is called `sntrys_`
- [x] Org based tokens encode `sentry_site` and `sentry_org`
- [x] Org based tokens are only shown once upon creation, then only ever displayed truncated (show last couple of characters)
- [x] Solution is compatible with hybrid-cloud, single tenant and self-hosted instances
- [x] PR/FAQ is written and shared with all interested parties
- [x] All Sentry teams are aware of this change (support, sales, hybrid-cloud, telemetry experience, ...)
- [x] All docs todos have been done

MVP+1

Having successfully launched org based tokens, we can now also bring it to our users attention in our sentry-wizard. This wizard is not to be confused with our in-product wizard. This wizard is a CLI tool, that helps users set up their React Native, Cordova, Electron or Next.js projects with Sentry.

### sentry-wizard (TBD)
- [ ] Draft: Add information to the wizard in sentry.io for CI/CD token setup
- [ ] Draft: Automatically generate the token for setup (.sentryclirc, .env)
- [ ] https://github.com/getsentry/sentry-wizard/issues/357

### sentry (TBD)
- [ ] https://github.com/getsentry/sentry/issues/50287
- [ ] https://github.com/getsentry/sentry/issues/50158
- [x] Search bar: make org auth tokens findable through search

### Acceptance Criteria
- [ ] The prefix is known to GitHub https://docs.github.com/en/code-security/secret-scanning/secret-scanning-patterns

Notes

### As a Side Note: Related Issues
- [ ] https://github.com/getsentry/sentry/issues/9600
- [ ] https://github.com/getsentry/customer-feedback/issues/22
- [ ] https://github.com/getsentry/team-webplatform-meta/issues/67
- [ ] https://github.com/getsentry/sentry/issues/49943
- [ ] https://github.com/getsentry/sentry/issues/49084
- [ ] https://github.com/getsentry/sentry/issues/48690
- [ ] https://github.com/getsentry/sentry/issues/43094

[smeubank]

• export button here?
  • in wizard below snippet, helps with local setup and indicates need for more etc
• export button here?
  • 

[ale-cota]

Adding this here for tracking: https://github.com/getsentry/sentry-wizard/issues/288 Steven's proposal to develop a wizard for source maps upload.