diff --git a/CHANGELOG.md b/CHANGELOG.md index f641131c9..d07282dd6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,15 @@ # Changelog +## Unreleased + +### Fixes + +- Don't add Expo Plugin option `authToken` to application bundle ([#3630](https://github.com/getsentry/sentry-react-native/pull/3630)) + - Expo plugin configurations are generelly stored in plain text, and are also automatically added to built app bundles, and are therefore considered insecure. + - You should not set the auth token in the plugin config except for local testing. Instead, use the `SENTRY_AUTH_TOKEN` env variable, as pointed out in our [docs](https://docs.sentry.io/platforms/react-native/manual-setup/expo/). + - In addition to showing a warning, we are now actively removing an `authToken` from the plugin config if it was set. + - If you had set the auth token in the plugin config previously, **and** built and published an app with that config, you should [rotate your token](https://docs.sentry.io/product/accounts/auth-tokens/). + ## 5.19.0 This release contains upgrade of `sentry-android` dependency to major version 7. There are no breaking changes in the JS API. If you are using the Android API please check [the migration guide](https://docs.sentry.io/platforms/android/migration/#migrating-from-iosentrysentry-android-6x-to-iosentrysentry-android-700). diff --git a/plugin/src/withSentry.ts b/plugin/src/withSentry.ts index f1a4022fd..acf6ff4d6 100644 --- a/plugin/src/withSentry.ts +++ b/plugin/src/withSentry.ts @@ -14,6 +14,12 @@ interface PluginProps { const withSentryPlugin: ConfigPlugin = (config, props) => { const sentryProperties = getSentryProperties(props); + + if (props && props.authToken) { + // If not removed, the plugin config with the authToken will be written to the application package + delete props.authToken; + } + let cfg = config; if (sentryProperties !== null) { try { @@ -33,12 +39,14 @@ const withSentryPlugin: ConfigPlugin = (config, props) => { ); } } + return cfg; }; -const missingAuthTokenMessage = '# auth.token is configured through SENTRY_AUTH_TOKEN environment variable'; const missingProjectMessage = '# no project found, falling back to SENTRY_PROJECT environment variable'; const missingOrgMessage = '# no org found, falling back to SENTRY_ORG environment variable'; +const existingAuthTokenMessage = `# DO NOT COMMIT the auth token, use SENTRY_AUTH_TOKEN instead, see https://docs.sentry.io/platforms/react-native/manual-setup/`; +const missingAuthTokenMessage = `# Using SENTRY_AUTH_TOKEN environment variable`; export function getSentryProperties(props: PluginProps | void): string | null { const { organization, project, authToken, url = 'https://sentry.io/' } = props ?? {}; @@ -56,12 +64,7 @@ export function getSentryProperties(props: PluginProps | void): string | null { return `defaults.url=${url} ${organization ? `defaults.org=${organization}` : missingOrgMessage} ${project ? `defaults.project=${project}` : missingProjectMessage} -${ - authToken - ? `# Configure this value through \`SENTRY_AUTH_TOKEN\` environment variable instead. See: https://docs.sentry.io/platforms/react-native/manual-setup/\nauth.token=${authToken}` - : missingAuthTokenMessage -} -`; +${authToken ? `${existingAuthTokenMessage}\nauth.token=${authToken}` : missingAuthTokenMessage}`; } // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access