feat(org-tokens): Adjust token format from JWT (#51341)

This PR adjusts the token format of the new org auth tokens from using
JWT to a custom format based on base64 encoding.
This should result in nicer endings of tokens, and also makes the tokens
considerably shorter.

Related to getsentry/rfcs#105

---------

Co-authored-by: Matthew T <matthew.trostel@sentry.io>

Author: mydea

src/sentry/api/endpoints/org_auth_tokens.py

@@ -16,7 +16,7 @@
 from sentry.models.organization import Organization
 from sentry.models.orgauthtoken import OrgAuthToken
 from sentry.utils import hashlib
-from sentry.utils.security.orgauthtoken_jwt import generate_token
+from sentry.utils.security.orgauthtoken_token import generate_token
 
 
 @control_silo_endpoint

src/sentry/utils/security/orgauthtoken_jwt.py

@@ -0,0 +1,45 @@
+import secrets
+from base64 import b64decode, b64encode
+from datetime import datetime
+
+from django.conf import settings
+
+from sentry.utils import json
+
+SENTRY_ORG_AUTH_TOKEN_PREFIX = "sntrys_"
+
+
+def generate_token(org_slug: str, region_url: str):
+    sentry_url = settings.SENTRY_OPTIONS.get("system.url-prefix")
+    payload = {
+        "iat": datetime.utcnow().timestamp(),
+        "url": sentry_url,
+        "region_url": region_url,
+        "org": org_slug,
+    }
+    secret = b64encode(secrets.token_bytes(nbytes=32)).decode("ascii").rstrip("=")
+
+    json_str = json.dumps(payload)
+    payload_encoded = base64_encode_str(json_str)
+
+    return f"{SENTRY_ORG_AUTH_TOKEN_PREFIX}{payload_encoded}_{secret}"
+
+
+def parse_token(token: str):
+    if not token.startswith(SENTRY_ORG_AUTH_TOKEN_PREFIX) or token.count("_") != 2:
+        return None
+
+    payload_hashed = token[len(SENTRY_ORG_AUTH_TOKEN_PREFIX) : token.rindex("_")]
+
+    try:
+        payload_str = b64decode((payload_hashed).encode("ascii")).decode("ascii")
+        payload = json.loads(payload_str)
+        if not payload.get("iat"):
+            return None
+        return payload
+    except Exception:
+        return None
+
+
+def base64_encode_str(str):
+    return b64encode(str.encode("ascii")).decode("ascii")

src/sentry/utils/security/orgauthtoken_token.py

@@ -0,0 +1,74 @@
+from sentry.testutils import TestCase
+from sentry.utils import json
+from sentry.utils.security.orgauthtoken_token import (
+    SENTRY_ORG_AUTH_TOKEN_PREFIX,
+    base64_encode_str,
+    generate_token,
+    parse_token,
+)
+
+
+class OrgAuthTokenTokenTest(TestCase):
+    def test_generate_token(self):
+        token = generate_token("test-org", "https://test-region.sentry.io")
+
+        assert token
+        assert token.startswith(SENTRY_ORG_AUTH_TOKEN_PREFIX)
+
+    def test_parse_token(self):
+        token = generate_token("test-org", "https://test-region.sentry.io")
+        token_payload = parse_token(token)
+
+        assert token_payload["org"] == "test-org"
+        assert token_payload["url"] == "http://testserver"
+        assert token_payload["region_url"] == "https://test-region.sentry.io"
+
+    def test_parse_invalid_token(self):
+        assert parse_token("invalid-token") is None
+
+    def test_parse_invalid_token_json(self):
+        payload_str = (
+            '{"iat": 12345678,"url": "test-site","region_url": "test-site","org": "test-org}'
+        )
+        payload_hashed = base64_encode_str(payload_str)
+        token = SENTRY_ORG_AUTH_TOKEN_PREFIX + payload_hashed + "_secret"
+
+        assert parse_token(token) is None
+
+    def test_parse_invalid_token_iat(self):
+        payload = {
+            "url": "test-site",
+            "region_url": "test-site",
+            "org": "test-org",
+        }
+
+        payload_str = json.dumps(payload)
+        payload_hashed = base64_encode_str(payload_str)
+        token = SENTRY_ORG_AUTH_TOKEN_PREFIX + payload_hashed + "_secret"
+
+        assert parse_token(token) is None
+
+    def test_parse_invalid_token_missing_secret(self):
+        payload = {
+            "iat": 12345678,
+            "url": "test-site",
+            "region_url": "test-site",
+            "org": "test-org",
+        }
+
+        payload_str = json.dumps(payload)
+        payload_hashed = base64_encode_str(payload_str)
+        token = SENTRY_ORG_AUTH_TOKEN_PREFIX + payload_hashed
+
+        assert parse_token(token) is None
+
+    def test_generate_token_unique(self):
+        jwt1 = generate_token("test-org", "https://test-region.sentry.io")
+        jwt2 = generate_token("test-org", "https://test-region.sentry.io")
+        jwt3 = generate_token("test-org", "https://test-region.sentry.io")
+
+        assert jwt1
+        assert jwt2
+        assert jwt3
+        assert jwt1 != jwt2
+        assert jwt2 != jwt3