feat(integrations): Add signed ViewerContext header propagation#112430
Draft
feat(integrations): Add signed ViewerContext header propagation#112430
Conversation
Add infrastructure for propagating ViewerContext across HTTP service boundaries using signed headers. Sending side: inject_viewer_context_headers() serializes the active ViewerContext into X-Viewer-Context with an HMAC-SHA256 signature and issuer identifier. Each internal service uses its own shared secret. Receiving side: ViewerContextMiddleware checks for signed headers before falling back to request-based auth. Maps the issuer to a known shared secret, verifies the signature, and only then trusts the payload. Unknown issuers or invalid signatures fall through to normal auth. Includes ViewerContext.deserialize() classmethod for reconstructing from JSON payloads. Co-Authored-By: Claude Opus 4.6 <[email protected]>
github-actions
bot
added
the
Scope: Backend
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add infrastructure for propagating ViewerContext across HTTP service
boundaries using HMAC-signed headers. This is part of the ViewerContext
RFC rollout.
When Sentry (or an internal service like Seer) makes an HTTP call to
another service, the active ViewerContext needs to cross the wire. This
PR adds the sending and receiving sides of that mechanism.
Sending side (
viewer_context.py):inject_viewer_context_headers(headers, secret, issuer)reads thecontextvar, serializes to JSON, HMAC-signs with the caller's shared
secret, and sets three headers:
X-Viewer-Context,X-Viewer-Context-Signature, andX-Viewer-Context-Issuer.ViewerContext.deserialize()classmethod for reconstructing fromJSON payloads.
Receiving side (
middleware/viewer_context.py):ViewerContextMiddlewarenow checks for signed headers beforefalling back to request-based auth derivation.
sentry→RPC_SHARED_SECRET,seer→SEER_RPC_SHARED_SECRET, etc.).issuers or invalid signatures silently fall through to normal auth.
new services.
Security: external users cannot forge the header because they don't
have the shared secrets. The signature is verified before the payload
is trusted. This is the same trust model used for cross-silo RPC.