Fix user handling for django ASGI

Author: sl0thentr0py

sentry_sdk/integrations/django/asgi.py

@@ -35,6 +35,45 @@
     _F = TypeVar("_F", bound=Callable[..., Any])
 
 
+async def _get_user_info(request: "ASGIRequest") -> "dict[str, str]":
+    user_info = {}  # type: dict[str, str]
+
+    if not hasattr(request, "auser"):
+        return user_info
+
+    try:
+        user = await request.auser()
+    except Exception:
+        return user_info
+
+    from sentry_sdk.integrations.django import is_authenticated
+
+    if user is None or not is_authenticated(user):
+        return user_info
+
+    try:
+        user_info["id"] = str(user.pk)
+    except Exception:
+        pass
+
+    try:
+        user_info["email"] = user.email
+    except Exception:
+        pass
+
+    try:
+        user_info["username"] = user.get_username()
+    except Exception:
+        pass
+
+    return user_info
+
+
+def _set_user_info(request: "ASGIRequest", event: "Event") -> None:
+    user_info = getattr(request, "_sentry_user_info", {})
+    event.setdefault("user", user_info)
+
+
 # Python 3.12 deprecates asyncio.iscoroutinefunction() as an alias for
 # inspect.iscoroutinefunction(), whilst also removing the _is_coroutine marker.
 # The latter is replaced with the inspect.markcoroutinefunction decorator.
@@ -56,10 +95,7 @@ def asgi_request_event_processor(event: "Event", hint: "dict[str, Any]") -> "Eve
         # if the request is gone we are fine not logging the data from
         # it.  This might happen if the processor is pushed away to
         # another thread.
-        from sentry_sdk.integrations.django import (
-            DjangoRequestExtractor,
-            _set_user_info,
-        )
+        from sentry_sdk.integrations.django import DjangoRequestExtractor
 
         if request is None:
             return event
@@ -178,16 +214,22 @@ async def sentry_wrapped_callback(
         if sentry_scope.profile is not None:
             sentry_scope.profile.update_active_thread_id()
 
+        if should_send_default_pii():
+            with capture_internal_exceptions():
+                request._sentry_user_info = await _get_user_info(request)
+
         integration = sentry_sdk.get_client().get_integration(DjangoIntegration)
         if not integration or not integration.middleware_spans:
-            return await callback(request, *args, **kwargs)
-
-        with sentry_sdk.start_span(
-            op=OP.VIEW_RENDER,
-            name=request.resolver_match.view_name,
-            origin=DjangoIntegration.origin,
-        ):
-            return await callback(request, *args, **kwargs)
+            result = await callback(request, *args, **kwargs)
+        else:
+            with sentry_sdk.start_span(
+                op=OP.VIEW_RENDER,
+                name=request.resolver_match.view_name,
+                origin=DjangoIntegration.origin,
+            ):
+                result = await callback(request, *args, **kwargs)
+
+        return result
 
     return sentry_wrapped_callback
 

tests/integrations/django/asgi/test_asgi.py

@@ -9,10 +9,12 @@
 import django
 import pytest
 from channels.testing import HttpCommunicator
+
 from sentry_sdk import capture_message
 from sentry_sdk.integrations.django import DjangoIntegration
 from sentry_sdk.integrations.django.asgi import _asgi_middleware_mixin_factory
 from tests.integrations.django.myapp.asgi import channels_application
+from tests.integrations.django.utils import pytest_mark_django_db_decorator
 
 try:
     from django.urls import reverse
@@ -737,3 +739,49 @@ async def test_transaction_http_method_custom(sentry_init, capture_events, appli
     (event1, event2) = events
     assert event1["request"]["method"] == "OPTIONS"
     assert event2["request"]["method"] == "HEAD"
+
+
+@pytest.mark.asyncio
+@pytest.mark.forked
+@pytest_mark_django_db_decorator()
+@pytest.mark.skipif(
+    django.VERSION < (3, 0), reason="Django ASGI support shipped in 3.0"
+)
+async def test_user_pii_in_asgi_with_auth(sentry_init, capture_events, settings):
+    settings.MIDDLEWARE = [
+        "django.contrib.sessions.middleware.SessionMiddleware",
+        "django.contrib.auth.middleware.AuthenticationMiddleware",
+    ]
+
+    asgi_application.load_middleware(is_async=True)
+
+    sentry_init(
+        integrations=[DjangoIntegration()],
+        send_default_pii=True,
+    )
+
+    events = capture_events()
+
+    comm = HttpCommunicator(asgi_application, "GET", "/async_mylogin")
+    response = await comm.get_response()
+    await comm.wait()
+
+    assert response["status"] == 200
+
+    # Get session cookie from login response
+    set_cookie = next(v for k, v in response["headers"] if k.lower() == b"set-cookie")
+    headers = [(b"cookie", set_cookie)]
+
+    comm = HttpCommunicator(asgi_application, "GET", "/async_message", headers=headers)
+    response = await comm.get_response()
+    await comm.wait()
+
+    assert response["status"] == 200
+
+    (event,) = events
+    assert event["message"] == "hi"
+    assert event["user"] == {
+        "email": "lennon@thebeatles.com",
+        "username": "john_async",
+        "id": "1",
+    }

tests/integrations/django/myapp/urls.py

@@ -110,6 +110,9 @@ def path(path, *args, **kwargs):
 ]
 
 # async views
+if views.async_mylogin is not None:
+    urlpatterns.append(path("async_mylogin", views.async_mylogin, name="async_mylogin"))
+
 if views.async_message is not None:
     urlpatterns.append(path("async_message", views.async_message, name="async_message"))
 

tests/integrations/django/myapp/views.py

@@ -136,6 +136,19 @@ def mylogin(request):
     return HttpResponse("ok")
 
 
+@csrf_exempt
+async def async_mylogin(request):
+    user = await User.objects.acreate_user(
+        "john_async", "lennon@thebeatles.com", "johnpassword"
+    )
+    user.backend = "django.contrib.auth.backends.ModelBackend"
+
+    from django.contrib.auth import alogin
+
+    await alogin(request, user)
+    return HttpResponse("ok")
+
+
 @csrf_exempt
 def handler500(request):
     return HttpResponseServerError("Sentry error.")