feat(snapshots): Support dedicated objectstore auth token

lcian · claude · lcian · commit 35d29235638e · 2026-04-09T10:32:54.000+02:00
Bump objectstore-client to 0.1.6 and use the dedicated auth token
from ObjectstoreUploadOptions when available, instead of always reusing
the Sentry auth token. The Sentry token is now passed as a Bearer
authorization header via configure_reqwest for request verification.

This resolves the TODO in the previous implementation and decouples
objectstore authentication from Sentry authentication.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -44,7 +44,7 @@ java-properties = "2.0.0"
 lazy_static = "1.4.0"
 libc = "0.2.139"
 log = { version = "0.4.17", features = ["std"] }
-objectstore-client = { version = "0.1.2" , default-features = false, features = ["native-tls"] }
+objectstore-client = { version = "0.1.6" , default-features = false, features = ["native-tls"] }
 open = "3.2.0"
 parking_lot = "0.12.1"
 percent-encoding = "2.2.0"
diff --git a/src/api/mod.rs b/src/api/mod.rs
@@ -2065,5 +2065,6 @@ pub struct SnapshotsUploadOptions {
 pub struct ObjectstoreUploadOptions {
     pub url: String,
     pub scopes: Vec<(String, String)>,
+    pub auth_token: Option<String>,
     pub expiration_policy: String,
 }
diff --git a/src/commands/build/snapshots.rs b/src/commands/build/snapshots.rs
@@ -295,15 +295,25 @@ fn upload_images(
     let expiration = ExpirationPolicy::from_str(&options.objectstore.expiration_policy)
         .context("Failed to parse expiration policy from upload options")?;
 
-    let client = ClientBuilder::new(options.objectstore.url)
-        .token({
-            // TODO: replace with auth from `ObjectstoreUploadOptions` when appropriate
-            let auth = match authenticated_api.auth() {
-                Auth::Token(token) => token.raw().expose_secret().to_owned(),
-            };
-            auth
+    let mut builder = ClientBuilder::new(options.objectstore.url);
+    if let Some(token) = options.objectstore.auth_token {
+        builder = builder.token(token);
+    }
+
+    let sentry_token = match authenticated_api.auth() {
+        Auth::Token(token) => token.raw().expose_secret().to_owned(),
+    };
+    let sentry_token = format!("Bearer {sentry_token}")
+        .parse()
+        // Ignore original error to avoid leaking the token (even though it's invalid)
+        .map_err(|_| anyhow::anyhow!("Invalid auth token"))?;
+    let client = builder
+        .configure_reqwest(|r| {
+            let mut headers = http::HeaderMap::new();
+            headers.insert(http::header::AUTHORIZATION, sentry_token);
+            r.connect_timeout(Duration::from_secs(10))
+                .default_headers(headers)
         })
-        .configure_reqwest(|r| r.connect_timeout(Duration::from_secs(10)))
         .build()?;
 
     let mut scope = Usecase::new("preprod").scope();

Original file line number	Diff line number	Diff line change
`@@ -2065,5 +2065,6 @@ pub struct SnapshotsUploadOptions {`
`2065`	`2065`	`pub struct ObjectstoreUploadOptions {`
`2066`	`2066`	`pub url: String,`
`2067`	`2067`	`pub scopes: Vec<(String, String)>,`
	`2068`	`+ pub auth_token: Option<String>,`
`2068`	`2069`	`pub expiration_policy: String,`
`2069`	`2070`	`}`