fix(sentry): in production request body was collected by default

betagouv · Mar 21, 2024 · ae9dccc · ae9dccc
1 parent 598ece0
commit ae9dccc
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 2 deletions.
diff --git a/sentry.client.config.ts b/sentry.client.config.ts
@@ -2,7 +2,7 @@ import { Offline as OfflineIntegration } from '@sentry/integrations';
 import * as Sentry from '@sentry/nextjs';
 import SentryRRWeb from '@sentry/rrweb';
 
-import { dsn, environment, release } from '@etabli/src/utils/sentry';
+import { beforeSend, dsn, environment, release } from '@etabli/src/utils/sentry';
 
 const hasReplays = true;
 const integrations: any[] = [new OfflineIntegration({})];
@@ -29,6 +29,7 @@ Sentry.init({
   release: release,
   autoSessionTracking: true,
   integrations,
+  beforeSend: beforeSend,
 });
 
 // Help to distinguish in the UI an extension resource is available

diff --git a/sentry.server.config.ts b/sentry.server.config.ts
@@ -1,6 +1,6 @@
 import * as Sentry from '@sentry/nextjs';
 
-import { dsn, environment, release } from '@etabli/src/utils/sentry';
+import { beforeSend, dsn, environment, release } from '@etabli/src/utils/sentry';
 
 const integrations: any[] = [];
 
@@ -11,4 +11,5 @@ Sentry.init({
   release: release,
   autoSessionTracking: true,
   integrations,
+  beforeSend: beforeSend,
 });
diff --git a/src/utils/sentry.ts b/src/utils/sentry.ts
@@ -1,3 +1,5 @@
+import type { ErrorEvent, Event, EventHint } from '@sentry/types';
+
 // An empty DSN will disable Sentry
 // We want it to be enabled only when deployed
 export const dsn = process.env.NODE_ENV === 'production' ? process.env.SENTRY_DSN || process.env.NEXT_PUBLIC_SENTRY_DSN : undefined;
@@ -7,3 +9,15 @@ export const environment = process.env.NEXT_PUBLIC_APP_MODE;
 // During runtime this must match the value from the build so there is a connection to uploaded source maps
 // The following will be overriden by an hardcoded value as wanted thanks to Next.js `env` property
 export const release = process.env.SENTRY_RELEASE_TAG;
+
+// To have the same behavior on frontend and backend
+export function beforeSend(event: ErrorEvent, hint: EventHint): PromiseLike<Event | null> | Event | null {
+  // For whatever reason in production Sentry is by default recording the request body going to Next.js endpoints (`pages/api` folder)
+  // ... whereas it's not when testing locally. So to prevent this we make sure to mask any input that would be collected
+  // Note: did not find a parameter to prevent this easily (only for their client in .NET or Python)
+  if (!!event.request?.data) {
+    event.request.data = '[masked]';
+  }
+
+  return event;
+}