Fix user handling for django ASGI #5282
Conversation
![sentry[bot]](https://avatars.githubusercontent.com/u/1396951?s=60&v=4){kind=small}
| if should_send_default_pii(): | ||
| with capture_internal_exceptions(): | ||
| request._sentry_user_info = await _get_user_info(request) |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
sl0thentr0py
force-pushed
the
neel/fix-django-async-user
branch
2 times, most recently
from
cf2d25c to
bd37ba6
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| @pytest_mark_django_db_decorator() | ||
| @pytest.mark.skipif( | ||
| django.VERSION < (3, 0), reason="Django ASGI support shipped in 3.0" | ||
| ) |
There was a problem hiding this comment.
Test skipif condition requires newer Django version
Medium Severity
The test test_user_pii_in_asgi_with_auth has a skipif condition checking for django.VERSION < (3, 0), but the test view async_mylogin uses User.objects.acreate_user() (added in Django 4.1) and alogin (added in Django 5.1). This mismatch means the test will fail with an ImportError when run on Django versions 3.0 through 5.0, since the skipif condition won't exclude those versions but the required APIs don't exist.
🔬 Verification Test
Why verification test was not possible: This test failure would manifest only when running the test suite against specific Django versions (3.x, 4.x, 5.0). The test would fail with an ImportError: cannot import name 'alogin' from 'django.contrib.auth' when Django < 5.1 is used. Verifying this would require setting up multiple Django version environments which is outside the scope of this review.
Additional Locations (1)
|
|
||
| def _set_user_info(request: "ASGIRequest", event: "Event") -> None: | ||
| user_info = getattr(request, "_sentry_user_info", {}) | ||
| event.setdefault("user", user_info) |
There was a problem hiding this comment.
Async user info doesn't merge with existing user data
Low Severity
The new async _set_user_info uses event.setdefault("user", user_info) which only sets the user dict if no "user" key exists. In contrast, the sync version in sentry_sdk/integrations/django/__init__.py uses event.setdefault("user", {}) then user_info.setdefault() on individual fields, which merges request user data into any existing user dict. This means if scope.set_user({"id": "custom"}) is called before the event processor runs, the sync version would still add email and username from the authenticated user, but the async version adds nothing. This behavioral inconsistency could cause missing user fields in async contexts.
🔬 Verification Test
Why verification test was not possible: This requires testing the interaction between scope.set_user() and the event processor in an async Django context, which would need a full integration test environment with Django ASGI running. The behavioral difference is clear from comparing the sync implementation at line 584-605 in __init__.py (which calls setdefault on individual fields) versus the async implementation (which calls setdefault on the entire user dict).
sl0thentr0py
force-pushed
the
neel/fix-django-async-user
branch
from
bd37ba6 to
a908d9d
Compare
sl0thentr0py
force-pushed
the
neel/fix-django-async-user
branch
from
a908d9d to
6c0c2a7
Compare
Description
For async views in django, we're supposed to use the async version
auserto fetch user info.Issues