feat(auth): rust client support for bearer auth #237
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
matt-codecov
force-pushed
the
matt/rust-client-jwt
branch
from
ac6f38b to
0c50276
Compare
lcian
reviewed
Dec 15, 2025
lcian
reviewed
Dec 15, 2025
lcian
approved these changes
Dec 15, 2025
Member
lcian
left a comment
lcian
left a comment
There was a problem hiding this comment.
LGTM. Let's not forget to add this token_generator to the README as well.
jan-auer
reviewed
Dec 15, 2025
|
|
||
| /// Sets a [`TokenGenerator`] that will be used to sign authorization tokens before | ||
| /// sending requests to Objectstore. | ||
| pub fn token_generator(self, token_generator: TokenGenerator) -> Self { |
Member
There was a problem hiding this comment.
We need to pass either an enum or a trait that has two implementations:
- The
TokenGenerator, as implemented. - A fully signed
Token(could be a newtype around a string). This will be needed in sentry_cli.
There's a workaround currently that we configure the reqwest client builder and add a static header, but it would be much better that we make this a first-party functionality.
I'm good if this is added in a follow-up. Example for the trait in case you choose to implement it right now:
// disadvantage: Whatever we pass in must be public now. Maybe better to have a custom, internally borrowing struct.
pub use crate::client::ScopeInner as TokenScope;
pub trait TokenProvider {
fn sign_for_scope(&self, scope: &TokenScope) -> crate::Result<Token>;
}
struct ClientBuilderInner {
...
token_provider: Box<dyn TokenProvider>,
}
impl ClientBuilder {
pub fn token_provider<T: TokenProvider>(self, provider: T) -> Self {
let Ok(mut inner) = self.0 else { return self };
inner.token_provider = Some(Box::new(provider));
Self(Ok(inner))
}
}
matt-codecov
force-pushed
the
matt/rust-client-jwt
branch
from
0c50276 to
eba14de
Compare
Contributor
Author
|
technically i left it out of the README but it is added to the example client construction in the doc comments. |
matt-codecov
added a commit
that referenced
this pull request
Dec 18, 2025
depends on: - #240 - #237 - #243 rust and python e2e tests now have authorization checks enabled. i added new test cases to ensure requests fail when the token has the wrong scope or wrong permissions, but currently the server throws 500 for any issue so the tests can't actually assert 403 like they should i am told the `.secret_scan_ignore` file should prevent our scanners from yelling about the checked-in test keys. the format with escaped slashes is strange but that's what was on the doc i was sent ¯\_(ツ)_/¯ Ref FS-202
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
mint tokens in our client library if a secret key and other config has been passed in
i will update #231 for end-to-end testing of both clients
depends on #236
Ref FS-202