Skip to content

ref(objectstore): Make ObjectstoreEndpoint unauthenticated #114137

Merged
lcian merged 2 commits into
masterfrom
lcian/objectstore-endpoint-cleanup
Apr 29, 2026
Merged

ref(objectstore): Make ObjectstoreEndpoint unauthenticated #114137
lcian merged 2 commits into
masterfrom
lcian/objectstore-endpoint-cleanup

Conversation

@lcian

@lcian lcian commented Apr 28, 2026
edited
Loading

Copy link
Copy Markdown
Member

Reshapes the Objectstore proxy endpoint so that authentication is performed entirely by Objectstore.
This allows us to lift the feature flag gate, and is safe now that we're enforcing auth checks.

@lcian
ref(objectstore): Make ObjectstoreEndpoint unauthenticated and remove…
eca0121 
… feature gate

Drops the `organizations:objectstore-endpoint` feature flag, renames
`OrganizationObjectstoreEndpoint` to `ObjectstoreEndpoint`, and switches the
base class from `OrganizationEndpoint` to `Endpoint` with no DRF auth or
permission classes. Authentication is performed by Objectstore via the
`Authorization` or `X-Os-Auth` header. The `organization_id_or_slug` URL kwarg
remains for API Gateway cell routing only.
@github-actions github-actions Bot added the Scope: Backend Automatically applied to PRs that change backend components label Apr 28, 2026
@lcian lcian changed the title ref(objectstore): Make ObjectstoreEndpoint unauthenticated and drop feature gate ref(objectstore): Make ObjectstoreEndpoint unauthenticated Apr 28, 2026
@lcian
Update ObjectstoreEndpoint class documentation
c6232ac 
Clarified the description of the ObjectstoreEndpoint class.
@lcian lcian marked this pull request as ready for review April 28, 2026 20:58
@lcian lcian requested a review from a team as a code owner April 28, 2026 20:58
@lcian lcian requested a review from matt-codecov April 28, 2026 21:02
matt-codecov
matt-codecov approved these changes Apr 28, 2026
View reviewed changes

@matt-codecov matt-codecov left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @michelletran-sentry for vis

objectstore auth enforcement has been enabled so we are removing django auth here as it is redundant. that IDOR should also be fixed by the enforcement change

@lcian

lcian commented Apr 28, 2026
edited
Loading

Copy link
Copy Markdown
Member Author

Ah yeah. Although I think the bots will go even crazier in saying that this is vulnerable now that the endpoint is unauthenticated.

@lcian lcian merged commit 1a4fccc into master Apr 29, 2026
77 checks passed
@lcian lcian deleted the lcian/objectstore-endpoint-cleanup branch April 29, 2026 10:16
@lcian lcian added the Trigger: Revert Add to a merged PR to revert it (skips CI) label Apr 29, 2026
@getsentry-bot

getsentry-bot commented Apr 29, 2026

Copy link
Copy Markdown
Contributor

PR reverted: 6ddfc44

getsentry-bot added a commit that referenced this pull request Apr 29, 2026
@getsentry-bot @lcian
Revert "ref(objectstore): Make ObjectstoreEndpoint unauthenticated (#…
6ddfc44 
…114137)"

This reverts commit 1a4fccc.

Co-authored-by: lcian <17258265+lcian@users.noreply.github.com>
@lcian lcian mentioned this pull request Apr 29, 2026
Merged
cleptric pushed a commit that referenced this pull request May 5, 2026
@lcian @cleptric
ref(objectstore): Make ObjectstoreEndpoint unauthenticated (#114137)
455f935
cleptric pushed a commit that referenced this pull request May 5, 2026
@getsentry-bot @lcian @cleptric
Revert "ref(objectstore): Make ObjectstoreEndpoint unauthenticated (#…
c30d5ff 
…114137)"

This reverts commit 1a4fccc.

Co-authored-by: lcian <17258265+lcian@users.noreply.github.com>
@github-actions github-actions Bot locked and limited conversation to collaborators May 14, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@matt-codecov matt-codecov matt-codecov approved these changes

Assignees

No one assigned

Labels

Scope: Backend Automatically applied to PRs that change backend components Trigger: Revert Add to a merged PR to revert it (skips CI)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lcian @getsentry-bot @matt-codecov