fix(oauth): Preserve session payload across cycle_key() in authorize flow#111738
Merged
michelletran-sentry merged 2 commits intomasterfrom Mar 30, 2026
Merged
fix(oauth): Preserve session payload across cycle_key() in authorize flow#111738michelletran-sentry merged 2 commits intomasterfrom
michelletran-sentry merged 2 commits intomasterfrom
Conversation
github-actions
bot
added
the
Scope: Backend
markstory
approved these changes
Mar 27, 2026
markstory
added
Trigger: getsentry tests
github-actions
bot
removed
the
Trigger: getsentry tests
michelletran-sentry
added
the
Trigger: getsentry tests
michelletran-sentry
approved these changes
Mar 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR addresses a
KeyError: 'oa2'that occurred in the/oauth/authorize/endpoint when an unauthenticated user attempted to log in during an OAuth authorization flow.Root Cause:
The
_logged_out_postmethod inoauth_authorize.pycallsrequest.session.cycle_key()to prevent session fixation attacks. However,cycle_key()regenerates the session ID and, in doing so, was inadvertently clearing the OAuth payload stored underrequest.session["oa2"]. Consequently, when the code attempted to accessrequest.session["oa2"]["uid"]immediately aftercycle_key(), it resulted in aKeyError.Solution:
The fix involves preserving the
oa2payload across thecycle_key()operation. Beforerequest.session.cycle_key()is called, the existingrequest.session["oa2"]data is retrieved and stored in a temporary variable. Aftercycle_key()has regenerated the session, this saved payload is restored to the new session, and theuidis updated with the authenticated user's ID. Finally,request.session.modifiedis set toTrueto ensure the changes are persisted.This approach maintains the security benefits of
cycle_key()while ensuring the necessary OAuth context is not lost during the login process.Legal Boilerplate
Look, I get it. The entity doing business as "Sentry" was incorporated in the State of Delaware in 2015 as Functional Software, Inc. and is gonna need some rights from me in order to utilize my contributions in this here PR. So here's the deal: I retain all rights, title and interest in and to my contributions, and by keeping this boilerplate intact I confirm that Sentry can use, modify, copy, and redistribute my contributions, under Sentry's choice of terms.