fix(auth): Bypass SSO for viewer-context requests

Viewer-context authentication is used by Seer code mode callbacks, but the
request was treated like a browser session and forced through the SSO
gate for SSO-required orgs.

Mark viewer-context-authenticated requests explicitly and let them skip
only the SSO requirement while keeping normal membership-based access
checks intact. Add a regression test covering the SSO-required org path.

Co-Authored-By: OpenAI Codex <noreply@openai.com>

Author: gricha

src/sentry/api/authentication.py

@@ -833,6 +833,7 @@ def authenticate(self, request: Request) -> tuple[Any, Any] | None:
             return None
 
         sentry_sdk.get_isolation_scope().set_tag("viewer_context_auth", True)
+        request.user_from_viewer_context = True
 
         # Return None for auth to match session behavior —
         # determine_access will derive scopes from org membership role.

src/sentry/api/permissions.py

@@ -203,7 +203,9 @@ def determine_access(
             rpc_user_org_context=org_context,
         )
 
-        if auth.is_user_signed_request(request):
+        if auth.is_user_signed_request(request) or getattr(
+            request, "user_from_viewer_context", False
+        ):
             # if the user comes from a signed request
             # we let them pass if sso is enabled
             logger.info(

tests/sentry/api/bases/test_organization.py

@@ -1,16 +1,20 @@
+import hashlib
+import hmac
 from datetime import timedelta
 from functools import cached_property
 from unittest import mock
 
+import orjson
 import pytest
 from django.contrib.auth.models import AnonymousUser
 from django.contrib.sessions.backends.base import SessionBase
 from django.db.models import F
-from django.test import RequestFactory
+from django.test import RequestFactory, override_settings
 from django.utils import timezone
 from rest_framework.exceptions import PermissionDenied
 from rest_framework.views import APIView
 
+from sentry.api.authentication import ViewerContextAuthentication
 from sentry.api.bases.organization import (
     NoProjects,
     OrganizationAndStaffPermission,
@@ -96,6 +100,8 @@ def has_object_perm(
 
 
 class OrganizationPermissionTest(PermissionBaseTestCase):
+    VIEWER_CONTEXT_SHARED_SECRET = "test-seer-api-shared-secret"
+
     def org_require_2fa(self):
         self.org.update(flags=F("flags").bitor(Organization.flags.require_2fa))
         assert self.org.flags.require_2fa.is_set is True
@@ -311,6 +317,39 @@ def test_sso_required(self) -> None:
         with pytest.raises(SsoRequired):
             assert not self.has_object_perm("POST", self.org, user=user)
 
+    @override_settings(SEER_API_SHARED_SECRET=VIEWER_CONTEXT_SHARED_SECRET)
+    def test_viewer_context_auth_bypasses_sso_gate(self) -> None:
+        user = self.create_user()
+        self.create_member(user=user, organization=self.org, role="member")
+
+        with assume_test_silo_mode(SiloMode.CONTROL):
+            auth_provider = AuthProvider.objects.create(
+                organization_id=self.org.id, provider="dummy"
+            )
+            AuthIdentity.objects.create(auth_provider=auth_provider, user=user)
+
+        context = orjson.dumps({"user_id": user.id, "actor_type": "user"}).decode()
+        signature = hmac.new(
+            self.VIEWER_CONTEXT_SHARED_SECRET.encode("utf-8"),
+            context.encode("utf-8"),
+            hashlib.sha256,
+        ).hexdigest()
+
+        request = RequestFactory().get("/api/0/organizations/")
+        request.session = SessionBase()
+        request.META["HTTP_X_VIEWER_CONTEXT"] = context
+        request.META["HTTP_X_VIEWER_CONTEXT_SIGNATURE"] = signature
+
+        drf_request = drf_request_from_request(request)
+        result = ViewerContextAuthentication().authenticate(drf_request)
+
+        assert result is not None
+        drf_request.user, drf_request.auth = result
+        assert getattr(drf_request, "user_from_viewer_context", False) is True
+
+        permission = self.permission_cls()
+        permission.determine_access(request=drf_request, organization=self.org)
+
 
 class OrganizationAndStaffPermissionTest(PermissionBaseTestCase):
     def setUp(self) -> None: