Skip to content

fix(api): Validate scope_list in ApiKey serializer#108475

Merged
dcramer merged 1 commit intomasterfrom
fix/api-key-scope-validation
Feb 18, 2026
Merged

fix(api): Validate scope_list in ApiKey serializer#108475
dcramer merged 1 commit intomasterfrom
fix/api-key-scope-validation

Conversation

@dcramer
Copy link
Copy Markdown
Member

@dcramer dcramer commented Feb 18, 2026

Add scope validation to ApiKeySerializer so that invalid scope strings
are rejected with a 400 response instead of being silently persisted.

The OrgAuthToken model validates scope_list against SENTRY_SCOPES
via validate_scope_list, but the legacy ApiKey serializer accepted
arbitrary strings. While invalid scopes are inert at enforcement time
(they never match any endpoint's allowed_scopes), the inconsistency
represents an oversight and violates defense-in-depth principles.

The fix adds a validate_scope_list method to ApiKeySerializer that
checks each scope against SENTRY_SCOPES and returns a descriptive
error for any invalid entries. Existing tests that relied on saving
invalid scopes have been updated to use valid scopes, and new tests
cover both fully-invalid and mixed-valid/invalid scope lists.

@dcramer @claude
fix(api): Validate scope_list in ApiKey serializer
7b75b89 
The ApiKeySerializer accepted arbitrary strings in scope_list without
validation, inconsistent with OrgAuthToken which validates scopes
against SENTRY_SCOPES. Add validate_scope_list to reject invalid
scope strings with a 400 response.

Co-Authored-By: Claude <[email protected]>
@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Feb 18, 2026
@dcramer dcramer marked this pull request as ready for review February 18, 2026 19:16
@dcramer dcramer requested a review from a team as a code owner February 18, 2026 19:16
@dcramer dcramer enabled auto-merge (squash) February 18, 2026 19:16
@dcramer dcramer merged commit c3eed23 into master Feb 18, 2026
78 checks passed
@dcramer dcramer deleted the fix/api-key-scope-validation branch February 18, 2026 19:26
JonasBa pushed a commit that referenced this pull request Feb 19, 2026
@dcramer @claude @JonasBa
fix(api): Validate scope_list in ApiKey serializer (#108475)
fe160ee 
Add scope validation to `ApiKeySerializer` so that invalid scope strings
are rejected with a 400 response instead of being silently persisted.

The `OrgAuthToken` model validates `scope_list` against `SENTRY_SCOPES`
via `validate_scope_list`, but the legacy `ApiKey` serializer accepted
arbitrary strings. While invalid scopes are inert at enforcement time
(they never match any endpoint's `allowed_scopes`), the inconsistency
represents an oversight and violates defense-in-depth principles.

The fix adds a `validate_scope_list` method to `ApiKeySerializer` that
checks each scope against `SENTRY_SCOPES` and returns a descriptive
error for any invalid entries. Existing tests that relied on saving
invalid scopes have been updated to use valid scopes, and new tests
cover both fully-invalid and mixed-valid/invalid scope lists.

Co-authored-by: Claude <[email protected]>
@sentry-release-bot sentry-release-bot bot mentioned this pull request Feb 20, 2026
Closed
1 task
mchen-sentry pushed a commit that referenced this pull request Feb 24, 2026
@dcramer @claude @mchen-sentry
fix(api): Validate scope_list in ApiKey serializer (#108475)
4044168 
Add scope validation to `ApiKeySerializer` so that invalid scope strings
are rejected with a 400 response instead of being silently persisted.

The `OrgAuthToken` model validates `scope_list` against `SENTRY_SCOPES`
via `validate_scope_list`, but the legacy `ApiKey` serializer accepted
arbitrary strings. While invalid scopes are inert at enforcement time
(they never match any endpoint's `allowed_scopes`), the inconsistency
represents an oversight and violates defense-in-depth principles.

The fix adds a `validate_scope_list` method to `ApiKeySerializer` that
checks each scope against `SENTRY_SCOPES` and returns a descriptive
error for any invalid entries. Existing tests that relied on saving
invalid scopes have been updated to use valid scopes, and new tests
cover both fully-invalid and mixed-valid/invalid scope lists.

Co-authored-by: Claude <[email protected]>
@github-actions github-actions bot locked and limited conversation to collaborators Mar 6, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@JoshFerge JoshFerge JoshFerge approved these changes

Assignees

No one assigned

Labels

Scope: Backend Automatically applied to PRs that change backend components

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dcramer @JoshFerge