feat(cells): Add stub for synapse endpoint by lynnagara · Pull Request #105975 · getsentry/sentry

lynnagara · 2026-01-08T23:28:58Z

to be based on #106231

lynnagara · 2026-01-08T23:29:32Z

src/sentry/api/endpoints/synapse/org_cell_mappings.py

+        if not settings.SYNAPSE_AUTH_SECRET:
+            return False
+
+        return request.META.get("HTTP_X_SYNAPSE_AUTH") == settings.SYNAPSE_AUTH_SECRET


is this an acceptable way to lock down this endpoint? i saw similar approaches used elsewhere in this codebase

Most of our other service-to-service requests are using payload/request hmac signatures. We should follow that pattern here so we can consolidate to a single implementation in the future.

github-actions · 2026-01-08T23:33:11Z

🚨 Warning: This pull request contains Frontend and Backend changes!

It's discouraged to make changes to Sentry's Frontend and Backend in a single pull request. The Frontend and Backend are not atomically deployed. If the changes are interdependent of each other, they must be separated into two pull requests and be made forward or backwards compatible, such that the Backend or Frontend can be safely deployed independently.

Have questions? Please ask in the #discuss-dev-infra channel.

src/sentry/api/endpoints/synapse/org_cell_mappings.py

markstory · 2026-01-09T16:34:52Z

src/sentry/api/endpoints/synapse/org_cell_mappings.py

+        if not settings.SYNAPSE_AUTH_SECRET:
+            return False
+
+        return request.META.get("HTTP_X_SYNAPSE_AUTH") == settings.SYNAPSE_AUTH_SECRET


Most of our other service-to-service requests are using payload/request hmac signatures. We should follow that pattern here so we can consolidate to a single implementation in the future.

markstory · 2026-01-09T16:36:35Z

src/sentry/api/urls.py

    ),
+    # Cell routing endpoints
+    re_path(
+        r"^org-cell-mappings/$",


Should this be under the /internal path like other internal API endpoints?

Good idea, moved to the internal list

markstory · 2026-01-13T17:07:19Z

src/sentry/api/endpoints/synapse/org_cell_mappings.py

+class SynapseAuthPermission(BasePermission):
+    """
+    Validates HMAC signature for Synapse requests.
+
+    Expects the X-Synapse-Signature header to contain the HMAC-SHA256 hex digest
+    of the request body, signed with SYNAPSE_AUTH_SECRET.
+    """
+
+    def has_permission(self, request: Request, view: object) -> bool:
+        if settings.IS_DEV:
+            return True
+
+        if not settings.SYNAPSE_HMAC_SECRET:
+            return False
+
+        signature = request.META.get("HTTP_X_SYNAPSE_SIGNATURE")
+        if not signature:
+            return False
+
+        body_bytes = request.body if request.body not in (None, b"") else b""
+
+        computed_hmac = hmac.new(
+            settings.SYNAPSE_HMAC_SECRET.encode("utf-8"),
+            body_bytes,
+            hashlib.sha256,
+        ).hexdigest()
+
+        return hmac.compare_digest(signature, computed_hmac)


Typically we implement this logic in an authentication adapter. We should be able to use the existing generic signature adapter:

sentry/src/sentry/api/authentication.py

Lines 707 to 743 in 203f0a1

class ServiceRpcSignatureAuthentication(StandardAuthentication):

"""

Generic authentication for service RPC requests.

Requests are sent with an HMAC signed by a shared private key.

Subclasses should define:

- shared_secret_setting_name: str - name of the settings attribute (e.g., "SEER_RPC_SHARED_SECRET")

- service_name: str - name of the service for logging (e.g., "Seer", "Launchpad")

- sdk_tag_name: str - name for the SDK tag (e.g., "seer_rpc_auth", "launchpad_rpc_auth")

"""

token_name = b"rpcsignature"

shared_secret_setting_name: str

service_name: str

sdk_tag_name: str

def accepts_auth(self, auth: list[bytes]) -> bool:

if not auth or len(auth) < 2:

return False

return auth[0].lower() == self.token_name

def authenticate_token(self, request: Request, token: str) -> tuple[Any, Any]:

shared_secret_setting = getattr(settings, self.shared_secret_setting_name, None)

if shared_secret_setting is None:

raise RpcAuthenticationSetupException(

f"Cannot validate {self.service_name} RPC request signatures without shared secret"

)

if not compare_service_signature(

request.path_info, request.body, token, shared_secret_setting, self.service_name

):

raise AuthenticationFailed("Invalid signature")

sentry_sdk.get_isolation_scope().set_tag(self.sdk_tag_name, True)

return (AnonymousUser(), token)

src/sentry/api/endpoints/synapse/org_cell_mappings.py

+class OrgCellMappingsEndpoint(Endpoint):
+    """
+    Returns the organization-to-cell mappings for all orgs in pages.
+    Only accessible by the Synapse internal service via X-Synapse-Auth header.
+    """
+
+    owner = ApiOwner.INFRA_ENG
+    publish_status = {
+        "GET": ApiPublishStatus.PRIVATE,
+    }
+    permission_classes = (SynapseAuthPermission,)


markstory · 2026-01-14T16:57:42Z

src/sentry/conf/server.py

 CONDUIT_PUBLISH_JWT_ISSUER: str = os.getenv("CONDUIT_PUBLISH_JWT_ISSUER", "sentry.io")
 CONDUIT_PUBLISH_JWT_AUDIENCE: str = os.getenv("CONDUIT_PUBLISH_JWT_AUDIENCE", "conduit")
+
+SYNAPSE_HMAC_SECRET: str | None = os.getenv("SYNAPSE_HMAC_SECRET")


I added a linear task so we don't forget to add this secret in.

src/sentry/api/endpoints/synapse/org_cell_mappings.py

to match hmac auth added in getsentry/sentry#105975

src/sentry/conf/server.py

to match hmac auth added in getsentry/sentry#105975

lynnagara added 2 commits January 8, 2026 15:26

feat(cells): add stub for synapse endpoint

5b7227e

.

dca6e94

lynnagara requested a review from markstory January 8, 2026 23:28

lynnagara requested review from a team as code owners January 8, 2026 23:28

github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Jan 8, 2026

lynnagara commented Jan 8, 2026

View reviewed changes

🛠️ apply pre-commit fixes

4c9d7cf

vercel bot deployed to Preview January 8, 2026 23:32 View deployment

🛠️ Sync API Urls to TypeScirpt

30f65b8

github-actions bot added the Scope: Frontend Automatically applied to PRs that change frontend components label Jan 8, 2026

vercel bot deployed to Preview January 8, 2026 23:35 View deployment

cursor bot reviewed Jan 8, 2026

View reviewed changes

src/sentry/api/endpoints/synapse/org_cell_mappings.py Outdated Show resolved Hide resolved

markstory reviewed Jan 9, 2026

View reviewed changes

hmac

d8439a9

vercel bot deployed to Preview January 12, 2026 21:25 View deployment

lynnagara and others added 2 commits January 12, 2026 13:26

move url under /internal

25f5c2a

🛠️ Sync API Urls to TypeScript

ce391fb

vercel bot deployed to Preview January 12, 2026 21:32 View deployment

markstory reviewed Jan 13, 2026

View reviewed changes

lynnagara added 3 commits January 13, 2026 12:46

update var name

07cf923

reuse ServiceRpcSignatureAuthentication

ea78f6d

.

ca1f808

vercel bot deployed to Preview January 13, 2026 20:49 View deployment

sentry bot reviewed Jan 13, 2026

View reviewed changes

cursor bot reviewed Jan 13, 2026

View reviewed changes

src/sentry/api/endpoints/synapse/org_cell_mappings.py Show resolved Hide resolved

authentication_classes

ef92cf5

vercel bot deployed to Preview January 13, 2026 21:00 View deployment

lynnagara added a commit to getsentry/synapse that referenced this pull request Jan 13, 2026

locator: sign control plane requests

89f765c

to match hmac auth added in getsentry/sentry#105975

lynnagara mentioned this pull request Jan 13, 2026

locator: sign control plane requests getsentry/synapse#112

Merged

lynnagara added 2 commits January 14, 2026 14:15

Merge remote-tracking branch 'origin/master' into synapse-endpoint-stub

0dc59db

updates

b430bd0

vercel bot deployed to Preview January 14, 2026 22:20 View deployment

it gets called with lower()

92650f9

sentry bot reviewed Jan 14, 2026

View reviewed changes

src/sentry/conf/server.py Outdated Show resolved Hide resolved

vercel bot deployed to Preview January 14, 2026 22:24 View deployment

setting must be a list

e1417be

vercel bot deployed to Preview January 14, 2026 23:20 View deployment

markstory approved these changes Jan 15, 2026

View reviewed changes

lynnagara added a commit to getsentry/synapse that referenced this pull request Jan 15, 2026

locator: sign control plane requests (#112)

04aa106

to match hmac auth added in getsentry/sentry#105975

lynnagara merged commit 675566e into master Jan 15, 2026
69 checks passed

lynnagara deleted the synapse-endpoint-stub branch January 15, 2026 20:48

github-actions bot locked and limited conversation to collaborators Jan 31, 2026

	class ServiceRpcSignatureAuthentication(StandardAuthentication):
	"""
	Generic authentication for service RPC requests.
	Requests are sent with an HMAC signed by a shared private key.

	Subclasses should define:
	- shared_secret_setting_name: str - name of the settings attribute (e.g., "SEER_RPC_SHARED_SECRET")
	- service_name: str - name of the service for logging (e.g., "Seer", "Launchpad")
	- sdk_tag_name: str - name for the SDK tag (e.g., "seer_rpc_auth", "launchpad_rpc_auth")
	"""

	token_name = b"rpcsignature"
	shared_secret_setting_name: str
	service_name: str
	sdk_tag_name: str

	def accepts_auth(self, auth: list[bytes]) -> bool:
	if not auth or len(auth) < 2:
	return False
	return auth[0].lower() == self.token_name

	def authenticate_token(self, request: Request, token: str) -> tuple[Any, Any]:
	shared_secret_setting = getattr(settings, self.shared_secret_setting_name, None)

	if shared_secret_setting is None:
	raise RpcAuthenticationSetupException(
	f"Cannot validate {self.service_name} RPC request signatures without shared secret"
	)

	if not compare_service_signature(
	request.path_info, request.body, token, shared_secret_setting, self.service_name
	):
	raise AuthenticationFailed("Invalid signature")

	sentry_sdk.get_isolation_scope().set_tag(self.sdk_tag_name, True)

	return (AnonymousUser(), token)

Uh oh!

Conversation

lynnagara commented Jan 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Jan 8, 2026

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

This comment was marked as outdated.

Uh oh!

This comment was marked as outdated.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Comments

lynnagara commented Jan 8, 2026 •

edited

Loading