feat(cmd-k): Add DSN lookup API endpoint

[sergical]

Summary

Adds a private API endpoint that resolves a Sentry DSN to its associated project and key metadata. This powers the command palette (Cmd+K) — users can paste a DSN and quickly navigate to the corresponding project.

Endpoint: GET /api/0/organizations/{org}/dsn-lookup/?dsn=<dsn>

Behavior:

• Parses the DSN to extract the public key, then looks up the matching ProjectKey scoped to the requesting organization
• Returns project slug, ID, name, platform, and key label/ID
• Returns 404 for invalid DSNs, unknown keys, or keys belonging to projects outside the org

Access control:

• OrganizationEndpoint base class enforces org membership
• ProjectKey query is scoped by project__organization_id to prevent IDOR
• Gated behind the organizations:cmd-k-dsn-lookup feature flag
• Rate limited to 5 req/s per user

Context

Split from #108396 — this is the backend half. The frontend PR (command palette integration) will follow and reference this PR as a dependency.

Test plan

• Backend tests pass (pytest tests/sentry/api/endpoints/test_dsn_lookup.py)
• CI passes

[github-actions]

🚨 Warning: This pull request contains Frontend and Backend changes!

It's discouraged to make changes to Sentry's Frontend and Backend in a single pull request. The Frontend and Backend are not atomically deployed. If the changes are interdependent of each other, they must be separated into two pull requests and be made forward or backwards compatible, such that the Backend or Frontend can be safely deployed independently.

Have questions? Please ask in the #discuss-dev-infra channel.

[JoshFerge]

I believe this introduces a security vulnerability as is as we're not checking that the user has access to the project key. can we:

• use ProjectEndpoint or OrganizationEndpoint, which makes sure the user making request has access to the org/project?

• in the ProjectKey lookup, make sure we're adding project to the ORM query so we prevent IDOR attacks?

mind adding a bit of description to the PR / endpoint docstring? from reading this i'm not quite sure what the intended use of the endpoint is (a user gives a dsn and it gets back info about it?)

[JoshFerge]

blanket exception handling is not ideal. how exactly can urlparse error? I assume it returns an error more specific than Exception.

[sergical]

Good call — removed the try/except entirely. urlparse is extremely permissive and basically never raises; request.GET.get() always returns str | None and we already guard None/empty above. Invalid DSNs (like "not-a-dsn") just produce a parsed result with no username, which the if not public_key check handles.

[JoshFerge]

and if this is intended to be a user scoped endpoint, can we use UserEndpoint?

sentry/src/sentry/users/api/bases/user.py

Line 102 in 88684c1

class UserEndpoint(Endpoint):

[sergical]

Re: UserEndpoint suggestion — this endpoint is org-scoped: the feature flag is per-org, and the DSN belongs to a project within that org. We switched to OrganizationEndpoint (which enforces org membership) and scope the ProjectKey query by project__organization_id. So OrganizationEndpoint is the right fit here.

Latest push removes the blanket except Exception around urlparse as well.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[JoshFerge]

looks good!