secret_key not included

[RestlessThinker]

I was having the same issue here: #29 (comment)

The problem is that ravenjs isn't sending secret_key that's being used here:
https://github.com/getsentry/sentry/blob/master/src/sentry/web/api.py#L236

If you include public:secret in the DSN, raven now throws an error that doesn't allow it, but it's not added here https://github.com/getsentry/raven-js/blob/master/src/raven.js#L453.

I did hardcode and appended "sentry_secret=" and it finally worked. I can fix it and submit a pull request but how would you like that DSN check handled? Thanks and I look forward to your reply!

Raven-js 1.1.16 and Sentry 6.4.4

[mattrobenolt]

raven-js should not use your secret key. That's extremely insecure.

The issue is that your request isn't attaching an Origin or Referer header, so its' falling back to the secret key auth. This was not very pretty in 6.4.4, but in master, it should more explicitly tell you that.

Feel free to upgrade your Sentry to master. It's what we run on app.getsentry.com.

I can help you try and figure out why your Origin and Referer header isn't getting attached to your request though.

[RestlessThinker]

Hi Matt,

I upgraded to the master branch, yes the response is a lot more helpful
now. Can you help figure out why Origin and Referer isn't getting
attached? After some digging it's not an XHR request and it seems it gets
sent from an image src which is not attached to the dom so would it not
send those headers? Thanks and I look forward to your reply!

On Mon, Sep 29, 2014 at 7:27 AM, Matt Robenolt [email protected]
wrote:

raven-js should not use your secret key. That's extremely insecure.

The issue is that your request isn't attaching an Origin or Referer
header, so its' falling back to the secret key auth. This was not very
pretty in 6.4.4, but in master, it should more explicitly tell you that.

Feel free to upgrade your Sentry to master. It's what we run on
app.getsentry.com.

I can help you try and figure out why your Origin and Referer header isn't
getting attached to your request though.

—
Reply to this email directly or view it on GitHub
#263 (comment).

[mattrobenolt]

Usually the first guess is that you're making a request across protocols. So maybe your page is https and your DSN is using http. Or vice-versa.

Can you show me the request that's being attempted?

[RestlessThinker]

Here is the request:

Remote Address:23.23.95.139:443
Request URL:
https://heroshmeam.restlessthinker.com/api/1/store/?sentry_version=4&sentry_client=raven-js/1.1.16&sentry_key=b57223c3f9a3423fbbd24cd2741ab12b&sentry_data=%7B%22project%22%3A%221%22%2C%22logger%22%3A%22javascript%22%2C%22platform%22%3A%22javascript%22%2C%22request%22%3A%7B%22url%22%3A%22https%3A%2F%2Flouiep.restlessthinker.com%2Frestlessthinker%2F3054%2Fvantage%2Fsocial_queue%22%2C%22headers%22%3A%7B%22User-Agent%22%3A%22Mozilla%2F5.0%20(Macintosh%3B%20Intel%20Mac%20OS%20X%2010_9_5)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Chrome%2F37.0.2062.124%20Safari%2F537.36%22%2C%22Referer%22%3A%22https%3A%2F%2Flouiep.restlessthinker.com%2Frestlessthinker%2F3054%2Fvantage%2Fsocial_queue%22%7D%7D%2C%22message%22%3A%22ReferenceError%3A%20foo%20is%20not%20defined%5Cn%20%20%20%20at%20restlessthinker.HeroShmeam.QueueRoute.Ember.Route.extend.model%20(https%3A%2F%2Flouiep.restlessthinker.com%2Fstatic%2Fjs%2Fsocial_queue%2Frouter.js%3Fv%3D2566f51%3A22%3A9)%5Cn%20%20%20%20at%20apply%20(https%3A%2F%2Flouiep.restlessthinker.com%2Fstatic%2Fjs%2Flib%2Fember%2Fember.js%3Fv%3D2566f51%3A7770%3A43)%5Cn%20%20%20%20at%20superWrapper%20%5Bas%20model%5D%20(https%3A%2F%2Flouiep.restlessthinker.com%2Fstatic%2Fjs%2Flib%2Fember%2Fember.js%3Fv%3D2566f51%3A7356%3A31)%5Cn%20%20%20%20at%20EmberObject.extend.deserialize%20(https%3A%2F%2Flouiep.restlessthinker.com%2Fstatic%2Fjs%2Flib%2Fember%2Fember.js%3Fv%3D2566f51%3A37891%3A41)%5Cn%20%20%20%20at%20Object.HandlerInfo.runSharedModelHook%20(https%3A%2F%2Flouiep.restlessthinker.com%2Fstatic%2Fjs%2Flib%2Fember%2Fember.js%3Fv%3D2566f51%3A40174%3A77)%5Cn%20%20%20%20at%20Object.subclass.getModel%20(https%3A%2F%2Flouiep.restlessthinker.com%2Fstatic%2Fjs%2Flib%2Fember%2Fember.js%3Fv%3D2566f51%3A40398%3A37)%5Cn%20%20%20%20at%20https%3A%2F%2Flouiep.restlessthinker.com%2Fstatic%2Fjs%2Flib%2Fember%2Fember.js%3Fv%3D2566f51%3A41875%3A35%5Cn%20%20%20%20at%20invokeCallback%20(https%3A%2F%2Flouiep.restlessthinker.com%2Fstatic%2Fjs%2Flib%2Fember%2Fember.js%3Fv%3D2566f51%3A10286%3A37)%5Cn%20%20%20%20at%20publish%20(https%3A%2F%2Flouiep.restlessthinker.com%2Fstatic%2Fjs%2Flib%2Fember%2Fember.js%3Fv%3D2566f51%3A9956%3A25)%5Cn%20%20%20%20at%20publishFulfillment%20(https%3A%2F%2Flouiep.restlessthinker.com%2Fstatic%2Fjs%2Flib%2Fember%2Fember.js%3Fv%3D2566f51%3A10376%3A21)%22%2C%22event_id%22%3A%22b9ca2f35d91a47bdbedc9b5281708428%22%7D
Request Method:GET
Status Code:400 BAD REQUEST
Request Headersview source
Accept:image/webp,/;q=0.8
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:no-cache
Connection:keep-alive
Cookie:sudo="H83t19bbqboV:1XYy8d:Xw36gSqKoRgghygDsGjNw9b3pAc";
sentrysid=".eJxrYKotZNSI4GJgYChJLS5Jzs_PzkyNYANyy_OLslNTQnnjE0tLMuJLi1OL4jNTvBlDuYpLilITc4vzi0oKmUJZUhJLUguZQ4WQlCUlJmen5qWEKhWn5pUUVeqVlmTmFOuB5PVccxMzcxyBLCeoGpbi0pT8CB6gfR4WxiWGlklJhUn5YaV6AAWkMyo:1XYy8e:J8pMpsAUN_QzBmPnfWlX33kKAC0";
csrftoken=EAzLlZKSscUUDQBhoK9lYN0YDD6RTjhX
Host:heroshmeam.restlessthinker.com
Pragma:no-cache
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
Query String Parametersview sourceview URL encoded
sentry_version:4
sentry_client:raven-js/1.1.16
sentry_key:b57223c3f9a3423fbbd24cd2741ab12b
sentry_data:{"project":"1","logger":"javascript","platform":"javascript","request":{"url":"
https://louiep.restlessthinker.com/restlessthinker/3054/vantage/social_queue","headers":{"User-Agent":"Mozilla/5.0
(Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/37.0.2062.124 Safari/537.36","Referer":"
https://louiep.restlessthinker.com/restlessthinker/3054/vantage/social_queue"}},"message":"ReferenceError:
foo is not defined\n at
restlessthinker.HeroShmeam.QueueRoute.Ember.Route.extend.model (
https://louiep.restlessthinker.com/static/js/social_queue/router.js?v=2566f51:22:9)\n
at apply (
https://louiep.restlessthinker.com/static/js/lib/ember/ember.js?v=2566f51:7770:43)\n
at superWrapper as model\n
at EmberObject.extend.deserialize (
https://louiep.restlessthinker.com/static/js/lib/ember/ember.js?v=2566f51:37891:41)\n
at Object.HandlerInfo.runSharedModelHook (
https://louiep.restlessthinker.com/static/js/lib/ember/ember.js?v=2566f51:40174:77)\n
at Object.subclass.getModel (
https://louiep.restlessthinker.com/static/js/lib/ember/ember.js?v=2566f51:40398:37)\n
at
https://louiep.restlessthinker.com/static/js/lib/ember/ember.js?v=2566f51:41875:35\n
at invokeCallback (
https://louiep.restlessthinker.com/static/js/lib/ember/ember.js?v=2566f51:10286:37)\n
at publish (
https://louiep.restlessthinker.com/static/js/lib/ember/ember.js?v=2566f51:9956:25)\n
at publishFulfillment (
https://louiep.restlessthinker.com/static/js/lib/ember/ember.js?v=2566f51:10376:21
)","event_id":"b9ca2f35d91a47bdbedc9b5281708428"}

[mattrobenolt]

Weird.. so it sent your cookies not not a Referer. It seems that I can't access this louiep.restlessthinker.com to test personally. Is there a way that I can?

[RestlessThinker]

Not at the moment, that domain is on aws only accessible from an internal
network here. I don't think the AWS load balancer would be removing those
header fields as in other calls on that page do have the referrer header.
Any other ideas?

On Tue, Sep 30, 2014 at 12:14 PM, Matt Robenolt [email protected]
wrote:

Weird.. so it sent your cookies not not a Referer. It seems that I can't
access this louiep.restlessthinker.com to test personally. Is there a way
that I can?

—
Reply to this email directly or view it on GitHub
#263 (comment).