PyPI - hawkapi-sentry - Versions diffs - 0.1.0__tar.gz → 0.2.0__tar.gz - Mend

hawkapi-sentry 0.1.0tar.gz → 0.2.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

{hawkapi_sentry-0.1.0 → hawkapi_sentry-0.2.0}/.gitignore RENAMED Viewed

@@ -31,6 +31,5 @@ coverage.xml
 .idea/
 .vscode/
 .history/
-.claude/
 site/
 .remember/

{hawkapi_sentry-0.1.0 → hawkapi_sentry-0.2.0}/CHANGELOG.md RENAMED Viewed

@@ -7,6 +7,33 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
+## [0.2.0] - 2026-05-16
+### Security
+- Fix distributed-trace continuation to use the modern
+  `sentry_sdk.continue_trace` API instead of the broken
+  `transaction.continuing_trace` call.
+- Mask sensitive query parameters (`token`, `key`, `api_key`, `password`,
+  `secret`, `access_token`, `refresh_token`) in the Sentry request context
+  (CWE-200). `request_context` now takes an optional
+  `sensitive_query_params` argument.
+- `send_default_pii` is explicitly defaulted to `False` in
+  `sentry_sdk.init`.
+### Changed
+- After routing matches, the transaction is renamed to the route template
+  (e.g. `GET /users/{id}`) with `source="route"` so transactions group
+  correctly in Sentry.
+- Removed the unused private `_redact_headers_helper` method.
+## [0.1.1] - 2026-04-19
+### Changed
+- Bump `Development Status` classifier to `5 - Production/Stable`.
 ## [0.1.0] - 2026-04-19
 ### Added

{hawkapi_sentry-0.1.0 → hawkapi_sentry-0.2.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: hawkapi-sentry
-Version: 0.1.0
+Version: 0.2.0
 Summary: Sentry integration for HawkAPI — plugin + middleware
 Project-URL: Homepage, https://github.com/ashimov/hawkapi-sentry
 Project-URL: Repository, https://github.com/ashimov/hawkapi-sentry
@@ -9,7 +9,7 @@ Author-email: HawkAPI Contributors <hawkapi@users.noreply.github.com>
 License-Expression: MIT
 License-File: LICENSE
 Keywords: error-tracking,hawkapi,monitoring,observability,sentry
-Classifier: Development Status :: 4 - Beta
+Classifier: Development Status :: 5 - Production/Stable
 Classifier: Framework :: AsyncIO
 Classifier: Intended Audience :: Developers
 Classifier: License :: OSI Approved :: MIT License

{hawkapi_sentry-0.1.0 → hawkapi_sentry-0.2.0}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "hawkapi-sentry"
-version = "0.1.0"
+version = "0.2.0"
 description = "Sentry integration for HawkAPI — plugin + middleware"
 readme = "README.md"
 license = "MIT"
@@ -15,7 +15,7 @@ authors = [
 ]
 keywords = ["hawkapi", "sentry", "observability", "error-tracking", "monitoring"]
 classifiers = [
-    "Development Status :: 4 - Beta",
+    "Development Status :: 5 - Production/Stable",
     "Framework :: AsyncIO",
     "Intended Audience :: Developers",
     "License :: OSI Approved :: MIT License",

{hawkapi_sentry-0.1.0 → hawkapi_sentry-0.2.0}/src/hawkapi_sentry/__init__.py RENAMED Viewed

@@ -5,7 +5,7 @@ from __future__ import annotations
 from hawkapi_sentry._middleware import SentryMiddleware
 from hawkapi_sentry._plugin import SentryPlugin
-__version__ = "0.1.0"
+__version__ = "0.2.0"
 __all__ = [
     "SentryMiddleware",

{hawkapi_sentry-0.1.0 → hawkapi_sentry-0.2.0}/src/hawkapi_sentry/_context.py RENAMED Viewed

@@ -3,6 +3,7 @@
 from __future__ import annotations
 from typing import Any
+from urllib.parse import parse_qsl, quote, urlencode
 _REDACT_HEADER_NAMES = frozenset(
     [
@@ -14,7 +15,20 @@ _REDACT_HEADER_NAMES = frozenset(
     ]
 )
+_SENSITIVE_QUERY_PARAMS: frozenset[str] = frozenset(
+    {
+        "token",
+        "key",
+        "api_key",
+        "password",
+        "secret",
+        "access_token",
+        "refresh_token",
+    }
+)
 _FILTERED = "[Filtered]"
+_REDACTED_VALUE = "***"
 def redact_headers(headers: Any) -> dict[str, str]:
@@ -33,6 +47,28 @@ def redact_headers(headers: Any) -> dict[str, str]:
     return result
+def redact_query_string(qs: str, sensitive: frozenset[str] | None = None) -> str:
+    """Return *qs* with values for sensitive keys replaced by ``***``.
+    The ``***`` sentinel is emitted verbatim — `urlencode` would otherwise
+    percent-encode the asterisks and obscure the intent of the redaction
+    in Sentry's UI.
+    """
+    if not qs:
+        return qs
+    targets = sensitive if sensitive is not None else _SENSITIVE_QUERY_PARAMS
+    targets = frozenset(t.lower() for t in targets)
+    pairs = parse_qsl(qs, keep_blank_values=True)
+    parts: list[str] = []
+    for k, v in pairs:
+        key = urlencode([(k, "")]).rstrip("=")
+        if k.lower() in targets:
+            parts.append(f"{key}={_REDACTED_VALUE}")
+        else:
+            parts.append(f"{key}={quote(v, safe='')}")
+    return "&".join(parts)
 def status_class(status_code: int) -> str:
     """Map an HTTP status code to an OTel/Sentry transaction status string."""
     if status_code < 400:
@@ -42,11 +78,20 @@ def status_class(status_code: int) -> str:
     return "internal_error"
-def request_context(request: Any) -> dict[str, Any]:
-    """Build a Sentry request context dict from a HawkAPI Request."""
+def request_context(
+    request: Any,
+    *,
+    sensitive_query_params: frozenset[str] | None = None,
+) -> dict[str, Any]:
+    """Build a Sentry request context dict from a HawkAPI Request.
+    Sensitive values in the ``query_string`` field are masked with ``***`` so
+    they never reach Sentry's UI (CWE-200).
+    """
     url: str = request.url
     qs_raw: Any = request.query_string
     qs: str = qs_raw.decode("latin-1") if hasattr(qs_raw, "decode") else str(qs_raw)
+    qs = redact_query_string(qs, sensitive_query_params)
     return {
         "method": request.method,
         "url": url,

hawkapi_sentry-0.2.0/src/hawkapi_sentry/_middleware.py ADDED Viewed

@@ -0,0 +1,117 @@
+"""SentryMiddleware — per-request Sentry transaction and breadcrumb."""
+from __future__ import annotations
+import contextlib
+from typing import Any
+import sentry_sdk
+from hawkapi.middleware.base import Middleware
+from hawkapi.requests.request import Request
+from hawkapi.responses.json_response import JSONResponse
+from hawkapi.responses.response import Response
+from hawkapi_sentry._context import status_class
+def _start_transaction(method: str, path: str, traceparent: str | None) -> Any:
+    """Return a started Sentry transaction.
+    If ``traceparent`` is provided we continue the upstream trace; otherwise
+    we start a new root transaction. ``sentry_sdk.continue_trace`` is the
+    modern v2 SDK API; older callers may not have it, in which case we fall
+    back to ``Transaction.continue_from_headers``.
+    """
+    if traceparent:
+        if hasattr(sentry_sdk, "continue_trace"):
+            return sentry_sdk.continue_trace(
+                environ_or_headers={"sentry-trace": traceparent},
+                op="http.server",
+                name=f"{method} {path}",
+            )
+        # Pre-2.x SDK fallback.
+        from sentry_sdk.tracing import Transaction  # noqa: PLC0415
+        return Transaction.continue_from_headers(
+            {"sentry-trace": traceparent},
+            op="http.server",
+            name=f"{method} {path}",
+        )
+    return sentry_sdk.start_transaction(
+        op="http.server",
+        name=f"{method} {path}",
+        source="url",
+    )
+class SentryMiddleware(Middleware):
+    """Starts a Sentry performance transaction for every HTTP request."""
+    async def before_request(self, request: Request) -> Request | Response | JSONResponse | None:
+        """Start a Sentry transaction and add a breadcrumb."""
+        method: str = request.method
+        path: str = request.path
+        traceparent = request.headers.get("sentry-trace") or request.headers.get("traceparent")
+        transaction = _start_transaction(method, path, traceparent)
+        if (
+            traceparent
+            and hasattr(sentry_sdk, "start_transaction")
+            and not hasattr(transaction, "__enter__")
+        ):
+            # ``continue_trace`` returns a Transaction object that still needs
+            # to be started via ``start_transaction`` in newer SDKs.
+            transaction = sentry_sdk.start_transaction(transaction)
+        request.state._sentry_tx = transaction  # type: ignore[attr-defined]
+        transaction.__enter__()  # type: ignore[attr-defined]
+        sentry_sdk.add_breadcrumb(
+            category="request",
+            message=f"{method} {path}",
+            level="info",
+        )
+        return None
+    async def after_response(
+        self, request: Request, response: Response | JSONResponse
+    ) -> Response | JSONResponse | None:
+        """Finish the Sentry transaction with HTTP metadata."""
+        tx: Any = getattr(getattr(request, "state", None), "_sentry_tx", None)
+        if tx is None:
+            return None
+        status_code: int = response.status_code
+        # Once routing has run we know the matched template (e.g.
+        # ``/users/{id}``), which groups individual requests in Sentry's
+        # transaction list.
+        route_template = self._extract_route_template(request)
+        if route_template:
+            tx.name = f"{request.method} {route_template}"
+            with contextlib.suppress(Exception):
+                tx.source = "route"  # type: ignore[attr-defined]
+        tx.set_tag("http.method", request.method)
+        tx.set_tag("http.status_code", str(status_code))
+        tx.set_tag("http.target", request.path)
+        tx.set_status(status_class(status_code))
+        tx.__exit__(None, None, None)  # type: ignore[attr-defined]
+        return None
+    @staticmethod
+    def _extract_route_template(request: Request) -> str | None:
+        # HawkAPI exposes the matched route on ``request.scope`` (``route``)
+        # and/or ``request.scope["path_template"]`` depending on version.
+        scope_obj: Any = getattr(request, "scope", None) or {}
+        if not isinstance(scope_obj, dict):
+            return None
+        scope: dict[str, Any] = dict(scope_obj)  # type: ignore[arg-type]
+        for key in ("route", "path_template", "endpoint_path"):
+            value: Any = scope.get(key)
+            if isinstance(value, str) and value:
+                return value
+            template: Any = getattr(value, "path", None) if value is not None else None
+            if isinstance(template, str) and template:
+                return template
+        return None

{hawkapi_sentry-0.1.0 → hawkapi_sentry-0.2.0}/src/hawkapi_sentry/_plugin.py RENAMED Viewed

@@ -9,7 +9,7 @@ from typing import Any
 import sentry_sdk
 from hawkapi.plugins import Plugin
-from hawkapi_sentry._context import redact_headers, request_context
+from hawkapi_sentry._context import request_context
 logger = logging.getLogger("hawkapi_sentry")
@@ -53,7 +53,12 @@ class SentryPlugin(Plugin):
     # ------------------------------------------------------------------
     def on_startup(self) -> None:
-        """Initialise the Sentry SDK. No-op when dsn is empty or None."""
+        """Initialise the Sentry SDK. No-op when dsn is empty or None.
+        ``send_default_pii`` is forced off by default so the SDK does not
+        attach IP addresses, cookies, or other PII to every event. Pass
+        ``before_send`` to opt back in selectively.
+        """
         if not self._dsn:
             logger.info("hawkapi_sentry: no DSN provided — Sentry disabled (no-op mode)")
             return
@@ -64,6 +69,7 @@ class SentryPlugin(Plugin):
             "traces_sample_rate": self._traces_sample_rate,
             "profiles_sample_rate": self._profiles_sample_rate,
         }
+        init_kwargs.setdefault("send_default_pii", False)
         if self._release is not None:
             init_kwargs["release"] = self._release
         if self._before_send is not None:
@@ -121,7 +127,3 @@ class SentryPlugin(Plugin):
                 if isinstance(user, dict):
                     return user  # type: ignore[return-value]
         return None
-    def _redact_headers_helper(self, headers: Any) -> dict[str, str]:
-        """Delegate to module-level helper."""
-        return redact_headers(headers)

hawkapi_sentry-0.2.0/tests/test_security.py ADDED Viewed

@@ -0,0 +1,83 @@
+"""Regression tests for 0.2.0 hardening fixes."""
+from __future__ import annotations
+from unittest.mock import MagicMock, patch
+import pytest
+from hawkapi_sentry._context import redact_query_string, request_context
+from hawkapi_sentry._middleware import SentryMiddleware
+class _FakeHeaders:
+    def __init__(self, data: dict[str, str] | None = None) -> None:
+        self._data = data or {}
+    def get(self, key: str, default: str | None = None) -> str | None:
+        return self._data.get(key, default)
+    def items(self) -> list[tuple[str, str]]:
+        return list(self._data.items())
+class _FakeState:
+    pass
+class _FakeRequest:
+    def __init__(self, headers: dict[str, str] | None = None) -> None:
+        self.method = "POST"
+        self.path = "/api/items"
+        self.headers = _FakeHeaders(headers or {})
+        self.state = _FakeState()
+        self.scope = {}
+@pytest.mark.asyncio
+async def test_traceparent_continues_trace() -> None:
+    """A request carrying ``sentry-trace`` must reach ``continue_trace``."""
+    mock_tx = MagicMock()
+    mock_tx.__enter__ = MagicMock(return_value=mock_tx)
+    mock_tx.__exit__ = MagicMock(return_value=False)
+    mw = SentryMiddleware(app=MagicMock())  # type: ignore[arg-type]
+    parent = "0123456789abcdef0123456789abcdef-aabbccddeeff0011-1"
+    req = _FakeRequest(headers={"sentry-trace": parent})
+    with (
+        patch("hawkapi_sentry._middleware.sentry_sdk.continue_trace") as m_cont,
+        patch(
+            "hawkapi_sentry._middleware.sentry_sdk.start_transaction",
+            return_value=mock_tx,
+        ),
+        patch("sentry_sdk.add_breadcrumb"),
+    ):
+        m_cont.return_value = mock_tx
+        await mw.before_request(req)  # type: ignore[arg-type]
+        m_cont.assert_called_once()
+        called_kwargs = m_cont.call_args.kwargs
+        assert called_kwargs["environ_or_headers"] == {"sentry-trace": parent}
+def test_query_param_redaction_in_request_context() -> None:
+    """Sensitive query params must not reach Sentry's request context."""
+    class R:
+        method = "GET"
+        url = "https://example.com/x?token=abc&page=2"
+        query_string = b"token=abc&page=2&api_key=zzz"
+        headers = _FakeHeaders({})
+    ctx = request_context(R())
+    assert "token=***" in ctx["query_string"]
+    assert "api_key=***" in ctx["query_string"]
+    assert "abc" not in ctx["query_string"]
+    assert "page=2" in ctx["query_string"]
+def test_redact_query_string_custom_set() -> None:
+    """Callers can extend the redaction set."""
+    out = redact_query_string("token=a&shared=b", frozenset({"shared"}))
+    assert "shared=***" in out
+    assert "token=a" in out

{hawkapi_sentry-0.1.0 → hawkapi_sentry-0.2.0}/uv.lock RENAMED Viewed

@@ -56,7 +56,7 @@ wheels = [
 [[package]]
 name = "hawkapi-sentry"
-version = "0.1.0"
+version = "0.2.0"
 source = { editable = "." }
 dependencies = [
     { name = "hawkapi" },

hawkapi_sentry-0.1.0/src/hawkapi_sentry/_middleware.py DELETED Viewed

@@ -1,61 +0,0 @@
-"""SentryMiddleware — per-request Sentry transaction and breadcrumb."""
-from __future__ import annotations
-from typing import Any
-import sentry_sdk
-from hawkapi.middleware.base import Middleware
-from hawkapi.requests.request import Request
-from hawkapi.responses.json_response import JSONResponse
-from hawkapi.responses.response import Response
-from hawkapi_sentry._context import status_class
-class SentryMiddleware(Middleware):
-    """Starts a Sentry performance transaction for every HTTP request."""
-    async def before_request(self, request: Request) -> Request | Response | JSONResponse | None:
-        """Start a Sentry transaction and add a breadcrumb."""
-        method: str = request.method
-        path: str = request.path
-        # Extract traceparent for distributed tracing
-        traceparent = request.headers.get("sentry-trace") or request.headers.get("traceparent")
-        transaction = sentry_sdk.start_transaction(
-            op="http.server",
-            name=f"{method} {path}",
-            source="url",
-        )
-        if traceparent:
-            transaction.continuing_trace({"sentry-trace": traceparent})  # type: ignore[attr-defined]
-        request.state._sentry_tx = transaction  # type: ignore[attr-defined]
-        transaction.__enter__()  # type: ignore[attr-defined]
-        sentry_sdk.add_breadcrumb(
-            category="request",
-            message=f"{method} {path}",
-            level="info",
-        )
-        return None
-    async def after_response(
-        self, request: Request, response: Response | JSONResponse
-    ) -> Response | JSONResponse | None:
-        """Finish the Sentry transaction with HTTP metadata."""
-        tx: Any = getattr(getattr(request, "state", None), "_sentry_tx", None)
-        if tx is None:
-            return None
-        status_code: int = response.status_code
-        tx.set_tag("http.method", request.method)
-        tx.set_tag("http.status_code", str(status_code))
-        tx.set_tag("http.target", request.path)
-        tx.set_status(status_class(status_code))
-        tx.__exit__(None, None, None)  # type: ignore[attr-defined]
-        return None

{hawkapi_sentry-0.1.0 → hawkapi_sentry-0.2.0}/.github/workflows/ci.yml RENAMED Viewed

File without changes

{hawkapi_sentry-0.1.0 → hawkapi_sentry-0.2.0}/.github/workflows/release.yml RENAMED Viewed

File without changes

{hawkapi_sentry-0.1.0 → hawkapi_sentry-0.2.0}/LICENSE RENAMED Viewed

File without changes

{hawkapi_sentry-0.1.0 → hawkapi_sentry-0.2.0}/README.md RENAMED Viewed

File without changes

{hawkapi_sentry-0.1.0 → hawkapi_sentry-0.2.0}/tests/__init__.py RENAMED Viewed

File without changes

{hawkapi_sentry-0.1.0 → hawkapi_sentry-0.2.0}/tests/conftest.py RENAMED Viewed

File without changes

{hawkapi_sentry-0.1.0 → hawkapi_sentry-0.2.0}/tests/test_context.py RENAMED Viewed

File without changes

{hawkapi_sentry-0.1.0 → hawkapi_sentry-0.2.0}/tests/test_integration.py RENAMED Viewed

File without changes

{hawkapi_sentry-0.1.0 → hawkapi_sentry-0.2.0}/tests/test_middleware.py RENAMED Viewed

File without changes

{hawkapi_sentry-0.1.0 → hawkapi_sentry-0.2.0}/tests/test_plugin.py RENAMED Viewed

File without changes

hawkapi-sentry 0.1.0__tar.gz → 0.2.0__tar.gz

hawkapi-sentry 0.1.0tar.gz → 0.2.0tar.gz