Skip to content

feat(toolbar): Return the CSRF token into the toolbar auth flow for use #106059

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ryan953 merged 4 commits into from
Jan 12, 2026
Merged

feat(toolbar): Return the CSRF token into the toolbar auth flow for use #106059

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
620284e
feat(toolbar): Return the CSRF token into the toolbar auth flow for use
ryan953 Jan 10, 2026
3d709c2
fix formatting, its not a cookie, just need the value
ryan953 Jan 10, 2026
e092c55
read the csrf cookie from the browser, not in django. it only gets se…
ryan953 Jan 10, 2026
f323ca1
clear session storage on logout
ryan953 Jan 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 12 additions & 2 deletions src/sentry/templates/sentry/toolbar/iframe.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,11 +98,15 @@
}

const loginWindowMessageDispatch = {
'did-login': ({ cookie, token }) => {
'did-login': ({ cookie, csrfToken, token }) => {
if (cookie) {
document.cookie = getCookieValue(cookie, window.location.hostname);
log('Saved a cookie', document.cookie.indexOf(cookie) >= 0);
}
if (csrfToken) {
Copy link
Member

@billyvg billyvg Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we log if csrf token isn't found?

Copy link
Member Author

@ryan953 ryan953 Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also important is handling it on the UI side so things gracefully degrade.

There's no Sentry on this page now afaik, we'd need to load in from the CDN, so i'll take that as a followup for this whole html template.

Copy link
Member Author

@ryan953 ryan953 Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but we're relying on middleware... so i think the odds of not having it are low. unless it's misconfigured for this page.

sessionStorage.setItem('csrfToken', csrfToken);
log('Saved a CSRF token to sessionStorage');
}
if (token) {
localStorage.setItem('accessToken', token);
log('Saved an accessToken to localStorage');
Expand Down Expand Up @@ -135,6 +139,9 @@
document.cookie = getCookieValue(cookie, regionUrl);
log('Cleared the current cookie');

sessionStorage.removeItem('csrfToken');
log('Removed CSRF token from sessionStorage');

const accessToken = localStorage.removeItem('accessToken')
log('Removed accessToken from localStorage');

Expand All @@ -150,6 +157,9 @@
const accessToken = localStorage.getItem('accessToken');
const bearer = accessToken ? { 'Authorization': `Bearer ${accessToken}` } : {};

const csrfToken = sessionStorage.getItem('csrfToken');
const csrfHeader = csrfToken ? { 'X-CSRFToken': csrfToken } : {};

// If either of these is invalid, or both are missing, we will
// forward the resulting 401 to the application, which will request
// tokens be destroyed and reload the iframe in an unauth state.
Expand All @@ -158,7 +168,7 @@
const url = new URL('/api/0' + path, organizationUrl);
const initWithCreds = {
...init,
headers: { ...init.headers, ...bearer },
headers: { ...init.headers, ...bearer, ...csrfHeader },
credentials: 'include',
};
const response = await fetch(url, initWithCreds);
Expand Down
3 changes: 3 additions & 0 deletions src/sentry/templates/sentry/toolbar/login-success.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ <h4>You're logged in!</h4>
const orgSlug = '{{ organization_slug|escape }}';
const delay = {{ delay_ms|escapejs }};
const cookie = '{{ cookie|escapejs }}';
const csrfCookieName = '{{ csrf_cookie_name|escapejs }}';
const csrfToken = document.cookie.split(';').find(c => c.trim().startsWith(csrfCookieName + '='))?.split('=')[1] ?? '';
const token = '{{ token|escapejs }}';

if (window.location.origin === 'https://sentry.io') {
Expand All @@ -42,6 +44,7 @@ <h4>You're logged in!</h4>
source: 'sentry-toolbar',
message: 'did-login',
cookie,
csrfToken,
token,
}, window.location.origin);

Expand Down
4 changes: 2 additions & 2 deletions src/sentry/toolbar/views/login_success_view.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,7 @@
TEMPLATE = "sentry/toolbar/login-success.html"

session_cookie_name = settings.SESSION_COOKIE_NAME

# touch 123
csrf_cookie_name = settings.CSRF_COOKIE_NAME


@region_silo_view
Expand All @@ -22,6 +21,7 @@ def get(self, request: HttpRequest, organization, project_id_or_slug):
"delay_sec": int(delay_ms / 1000),
"delay_ms": delay_ms,
"cookie": f"{session_cookie_name}={request.COOKIES.get(session_cookie_name)}",
"csrf_cookie_name": csrf_cookie_name,
"token": "",
},
)
Loading