Generate Org Auth Token for Sentry Wizard #357
Comments
Lms24
changed the title
|
discussion with @danielkhan when coming from product (onboarding wizard & issues & even docs if logged in) we do know the org and project. So is this necessary? state: solutions
|
Yes, we need to link the current wizard "session" to the Sentry backend to get any kind of data. To get this data, users need to be authenticated, which they do by logging in in the browser. If they're already previously logged in, they of course don't have to enter their credentials again but they're just forwarded. Regardless, the important part is that we authenticate and have the necessary permissions to get the data. Also, we don't know for certain what users did before they started the wizard and much less if the project they want to configure with the wizard is the one that they had open when they saw the command. Also, there's no guarantee that they're logged in when viewing docs.
Users log in via the browser today already. The wizard, by design, holds no authentication/credential data. The only thing that connects the wizard session to the authentication that happened in the browser is a hash which is used as a cache key. The wizard polls an endpoint with this key until it gets its data (right now a list of projects) and continues from their.
We can add this as an optional arg but I'd argue that making this required significantly decreases ease of use.
I might miss some context around this suggestion but how is this different from 2? Requiring users to already create an auth token before starting the wizard again increases friction. I think what's important to consider is that right now, today, users do not need to worry at all about their auth token when they use the wizard. However, they experience friction when selecting their project if they have more than a small number of projects. We should not degrade the UX just to get org tokens working in the wizard. However, doing project selection in the UI would increase usability for those with a higher number of projects. |
everything suggested would be optional. It should be thought of more like if not provided then normal flow with UI logins and selections, but IF provided then maybe the user can skip some steps |
For example: I've just signed up for Sentry and created a React project. In the product we already know the org and project at that point so we could include these args in the command itself that they copy and paste. Similarly if the user is on the issues details page. The command will be pretty darn long 🙈 but if they just click a button to copy theoretically it makes no difference. If we're able to do this, then theoretically we eliminate the step of them having to choose any org or project again, so it makes it slightly simpler. We still need the UI like you suggested for cases where customers just use the basic command. |
|
This issue has gone three weeks without activity. In another week, I will close it. But! If you comment or otherwise update it, I will reset the clock, and if you label it "A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀 |
|
This issue has gone three weeks without activity. In another week, I will close it. But! If you comment or otherwise update it, I will reset the clock, and if you label it "A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀 |
|
This issue has gone three weeks without activity. In another week, I will close it. But! If you comment or otherwise update it, I will reset the clock, and if you label it "A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀 |
|
omg this bot is so annoying |
|
Worth noting (we need to sketch this out in more detail): With the Hybrid Cloud region split, this task now has higher priority. We should reconsider the requirements though because we also need to paginate results. So even just within one project, we shouldn't load 1k projects at once because this could cause timeouts. |
|
I guess pagination is easier in a browser UI than CLI but I'm still a bit unsure about the whole "move things to the UI" idea. wondering what users would prefer:
|
|
Closing this as the new in-browser login and project selection flow solves this and we now create org-based auth tokens 🎉 |
Right now, in the wizard we're still generating the old, user-scoped auth tokens. We recently introduced Org-scoped auth tokens which should be preferred over user-based tokens whenever possible. We therefore want to create them in the wizard when selecting a project. Unfortunately, due to the nature of the current project selection flow, this brings along some challenges:
Problem
SetupWizardViewin the Sentry backend currently obtains one list of projects across all active orgs of a user.Related problems:
--organd--project(introduced in feat: allow passing or and project slug parameters #671) to not have to go through the entire list of projects. However, the current endpoint/view still loads all of the users' projects, even if they filtered it down to 1 in the wizard.Solution
We move the project selection step from the CLI to the browser UI. Instead of only logging in in the browser, users will also select their project afterwards.
More specifically, we modify the
SetupWizardReact component that's loaded by the Django template to tell users to return to the wizard. If there's more than one org and project assigned to the user, the user needs to select their project inside the browser. After the selection, we make another request to theSetupWizardViewwhich creates a new org token and updates the cache. During this entire time, the CLI (wizard) will wait until the project is selected and the backend created the corresponding org auth token. Once this is done, the CLI receives back the selected project data and token and it directly continues with the setup.Advantages
Disadvantages
Alternatives Considered
This boils down to the following tasks:
Tasks
org auth tokens epic: getsentry/team-sdks#6
ref: getsentry/team-sdks#16
The text was updated successfully, but these errors were encountered: