feat: instrumentation for kinde auth#39
Conversation
jy-tan
left a comment
jy-tan
left a comment
There was a problem hiding this comment.
Remember to add to README.md
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
2 issues found across 34 files (changes from recent commits).
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="drift/instrumentation/kinde/instrumentation.py">
<violation number="1" location="drift/instrumentation/kinde/instrumentation.py:116">
P2: Guard against missing `is_authenticated` methods. As written, `getattr(cls, method_name)` will raise if the SDK version lacks the method, preventing instrumentation from loading in replay.</violation>
<violation number="2" location="drift/instrumentation/kinde/instrumentation.py:145">
P2: Handle missing `is_authenticated` function in helpers. `getattr(module, func_name)` will raise if the function is absent, which can stop instrumentation during replay.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| Returns: | ||
| True if patching succeeded, False otherwise. | ||
| """ | ||
| original = getattr(module, func_name) |
There was a problem hiding this comment.
P2: Handle missing is_authenticated function in helpers. getattr(module, func_name) will raise if the function is absent, which can stop instrumentation during replay.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At drift/instrumentation/kinde/instrumentation.py, line 145:
<comment>Handle missing `is_authenticated` function in helpers. `getattr(module, func_name)` will raise if the function is absent, which can stop instrumentation during replay.</comment>
<file context>
@@ -101,11 +102,77 @@ def _scan_session_for_key(session: Any, target_key: str) -> tuple[str | None, An
+ Returns:
+ True if patching succeeded, False otherwise.
+ """
+ original = getattr(module, func_name)
+
+ def patched(*args: Any, **kwargs: Any) -> bool:
</file context>
| original = getattr(module, func_name) | |
| original = getattr(module, func_name, None) | |
| if original is None: | |
| logger.debug(f"[KindeInstrumentation] {module_name}.{func_name}() not found, skipping patch") | |
| return False |
| Returns: | ||
| True if patching succeeded, False otherwise. | ||
| """ | ||
| original = getattr(cls, method_name) |
There was a problem hiding this comment.
P2: Guard against missing is_authenticated methods. As written, getattr(cls, method_name) will raise if the SDK version lacks the method, preventing instrumentation from loading in replay.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At drift/instrumentation/kinde/instrumentation.py, line 116:
<comment>Guard against missing `is_authenticated` methods. As written, `getattr(cls, method_name)` will raise if the SDK version lacks the method, preventing instrumentation from loading in replay.</comment>
<file context>
@@ -101,11 +102,77 @@ def _scan_session_for_key(session: Any, target_key: str) -> tuple[str | None, An
+ Returns:
+ True if patching succeeded, False otherwise.
+ """
+ original = getattr(cls, method_name)
+
+ def patched(*args: Any, **kwargs: Any) -> bool:
</file context>
| original = getattr(cls, method_name) | |
| original = getattr(cls, method_name, None) | |
| if original is None: | |
| logger.debug(f"[KindeInstrumentation] {class_name}.{method_name}() not found, skipping patch") | |
| return False |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
|
|
||
| _patch_is_authenticated_function(helpers, "is_authenticated", "helpers") | ||
| except ImportError: | ||
| logger.debug("[KindeInstrumentation] Could not import helpers, skipping patch") |
There was a problem hiding this comment.
Incomplete exception handling misses AttributeError from getattr
Medium Severity
The try-except blocks in _patch_all_is_authenticated_methods only catch ImportError, but the helper functions _patch_is_authenticated_method and _patch_is_authenticated_function use getattr(cls, method_name) without a default value at lines 116 and 145. If a class is imported successfully but lacks the is_authenticated method (e.g., due to API changes in a future Kinde SDK version), an uncaught AttributeError will propagate. Since _apply_patch in the registry has no exception handling, this could fail the entire instrumentation. The Django instrumentation shows the preferred pattern with except Exception as a fallback.
Additional Locations (2)
2 participants
Problem
Kinde's
StorageManagergenerates a new randomdevice_idon each server startup. Session data is stored with keys likedevice:{device_id}:{user_id}. During replay, the new server has a differentdevice_idthan the one used during recording, so token lookups fail andis_authenticated()returnsFalse.Solution
Two-tier patching approach in replay mode:
1. Primary: Patch
StorageManager.get()This works when apps store Kinde tokens in the session cookie using Kinde's standard storage. This is preferred since this goes through normal auth flow and things like
get_user_infowill still work as expected.2. Fallback: Patch all
is_authenticated()methodsFalse), returnTrueanywayThis fallback handles apps that:
Note
Adds REPLAY-mode Kinde SDK instrumentation and wires it into auto-init.
KindeInstrumentationpatcheskinde_sdkin REPLAY: primary patch toStorageManager.get()to recover device-prefixed session data; fallback patchesis_authenticated()across Kinde classes/helpers to return True when original returns Falsedrift_sdk._init_auto_instrumentations()(REPLAY-only)drift/instrumentation/kinde/**to unresolved-import overridesWritten by Cursor Bugbot for commit 2366f1e. This will update automatically on new commits. Configure here.