Skip to content

fix(auth): Mask SCIM token after 5-minute visibility window#108093

Merged
wedamija merged 2 commits intomasterfrom
danf/vuln-789-scim-token-masking
Mar 9, 2026
Merged

fix(auth): Mask SCIM token after 5-minute visibility window#108093
wedamija merged 2 commits intomasterfrom
danf/vuln-789-scim-token-masking

Conversation

@wedamija
Copy link
Member

@wedamija wedamija commented Feb 12, 2026
edited by geoffg-sentry
Loading

SCIM tokens were displayed in full plaintext on the SSO settings page indefinitely, allowing any manager-role user to copy and misuse the token. Now tokens are only fully visible for 5 minutes after creation, then masked to show only the last 4 characters.

Fixes https://linear.app/getsentry/issue/VULN-789/
Based on @geoffg-sentry's previous pr #106995. Afaict, creating a separate pr for rpc wasn't necessary, since the model and view are both on control

@wedamija
fix(auth): Mask SCIM token after 5-minute visibility window (VULN-789)
b8a09d3 
SCIM tokens were displayed in full plaintext on the SSO settings page
indefinitely, allowing any manager-role user to copy and misuse the
token. Now tokens are only fully visible for 5 minutes after creation,
then masked to show only the last 4 characters.
@wedamija wedamija requested a review from a team February 12, 2026 00:51
@wedamija wedamija requested a review from a team as a code owner February 12, 2026 00:51
@linear
Copy link

linear bot commented Feb 12, 2026

VULN-789 SCIM Token Not Masked After Creation -- Leads to Privilege Abuse Without Logs

@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Feb 12, 2026
JoshFerge
JoshFerge reviewed Feb 12, 2026
View reviewed changes
JoshFerge
JoshFerge reviewed Feb 12, 2026
View reviewed changes
armenzg
armenzg reviewed Feb 12, 2026
View reviewed changes
Copy link
Member

@armenzg armenzg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comments as what Josh points out.

@geoffg-sentry geoffg-sentry changed the title fix(auth): Mask SCIM token after 5-minute visibility window (VULN-789) fix(auth): Mask SCIM token after 5-minute visibility window Feb 12, 2026
geoffg-sentry
geoffg-sentry approved these changes Mar 3, 2026
View reviewed changes
Copy link
Contributor

@geoffg-sentry geoffg-sentry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could add the logger.warning from Josh's comment otherwise this is fine

@wedamija wedamija merged commit d84bf17 into master Mar 9, 2026
76 checks passed
@wedamija wedamija deleted the danf/vuln-789-scim-token-masking branch March 9, 2026 17:55
@sentry-release-bot sentry-release-bot bot mentioned this pull request Mar 15, 2026
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@markstory markstory markstory left review comments

@armenzg armenzg armenzg left review comments

@JoshFerge JoshFerge JoshFerge left review comments

@geoffg-sentry geoffg-sentry geoffg-sentry approved these changes

Assignees

No one assigned

Labels

Scope: Backend Automatically applied to PRs that change backend components

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@wedamija @markstory @armenzg @JoshFerge @geoffg-sentry