Add allowPrivateKey config option

Author: benvinegar

docs/config.rst

@@ -215,6 +215,12 @@ Those configuration options are documented below:
     onFailure
         Callback to be invoked upon a failed request.
 
+.. describe:: allowPrivateKey
+
+    By default, Raven.js will throw an error if configured with a Sentry DSN that contains a private key. When using Raven.js with a website/application accessed using a web browser over the web, you should only use your public DSN. But if you are using Raven.js in an environment like React Native or Electron, where your application is running "natively" on a device and not accessed at a web address, you may need to use your
+    private DSN string. To do so, set ``allowPrivateKey: true`` during configuration.
+
+
 Putting it all together
 -----------------------
 

src/raven.js

@@ -97,10 +97,6 @@ Raven.prototype = {
         }
         if (!dsn) return this;
 
-        var uri = this._parseDSN(dsn),
-            lastSlash = uri.path.lastIndexOf('/'),
-            path = uri.path.substr(1, lastSlash);
-
         // merge in options
         if (options) {
             each(options, function(key, value){
@@ -113,6 +109,10 @@ Raven.prototype = {
             });
         }
 
+        var uri = this._parseDSN(dsn),
+            lastSlash = uri.path.lastIndexOf('/'),
+            path = uri.path.substr(1, lastSlash);
+
         this._dsn = dsn;
 
         // "Script error." is hard coded into browsers for errors that it can't read.
@@ -127,6 +127,7 @@ Raven.prototype = {
         this._globalOptions.includePaths = joinRegExp(this._globalOptions.includePaths);
 
         this._globalKey = uri.user;
+        this._globalSecret = uri.pass && uri.pass.substr(1);
         this._globalProject = uri.path.substr(lastSlash + 1);
 
         this._globalServer = this._getGlobalServer(uri);
@@ -725,8 +726,10 @@ Raven.prototype = {
             throw new RavenConfigError('Invalid DSN: ' + str);
         }
 
-        if (dsn.pass)
-            throw new RavenConfigError('Do not specify your private key in the DSN!');
+        if (dsn.pass && !this._globalOptions.allowPrivateKey) {
+            console.dir(this._globalOptions.allowPrivateKey)
+            throw new RavenConfigError('Do not specify your private key in the DSN. See: http://bit.ly/raven-private-key');
+        }
 
         return dsn;
     },
@@ -990,14 +993,19 @@ Raven.prototype = {
 
         if (!this.isSetup()) return;
 
+        var auth = {
+            sentry_version: '7',
+            sentry_client: 'raven-js/' + this.VERSION,
+            sentry_key: this._globalKey
+        };
+        if (this._globalSecret) {
+            auth.sentry_secret = this._globalSecret;
+        }
+
         var url = this._globalEndpoint;
         (globalOptions.transport || this._makeRequest).call(this, {
             url: url,
-            auth: {
-                sentry_version: '7',
-                sentry_client: 'raven-js/' + this.VERSION,
-                sentry_key: this._globalKey
-            },
+            auth: auth,
             data: data,
             options: globalOptions,
             onSuccess: function success() {

test/raven.test.js

@@ -1047,6 +1047,51 @@ describe('globals', function() {
             assert.isFunction(opts.onError);
         });
 
+        it('should pass sentry_secret as part of auth params if specified', function () {
+            this.sinon.stub(Raven, 'isSetup').returns(true);
+            this.sinon.stub(Raven, '_makeRequest');
+            this.sinon.stub(Raven, '_getHttpData').returns({
+                url: 'http://localhost/?a=b',
+                headers: {'User-Agent': 'lolbrowser'}
+            });
+
+            Raven._globalEndpoint = 'http://localhost/store/';
+            Raven._globalOptions = {
+                projectId: 2,
+                logger: 'javascript',
+                maxMessageLength: 100,
+                release: 'abc123'
+            };;
+            Raven._globalSecret = 'def'; // <-- secret
+
+            Raven._send({message: 'bar'});
+            var args = Raven._makeRequest.lastCall.args;
+            assert.equal(args.length, 1);
+            var opts = args[0];
+            assert.equal(opts.url, 'http://localhost/store/');
+            assert.deepEqual(opts.data, {
+                project: '2',
+                release: 'abc123',
+                logger: 'javascript',
+                platform: 'javascript',
+                request: {
+                    url: 'http://localhost/?a=b',
+                    headers: {
+                        'User-Agent': 'lolbrowser'
+                    }
+                },
+                event_id: 'abc123',
+                message: 'bar',
+                extra: {'session:duration': 100},
+            });
+            assert.deepEqual(opts.auth, {
+                sentry_client: 'raven-js/2.1.0',
+                sentry_key: 'abc',
+                sentry_secret: 'def',
+                sentry_version: '7'
+            });
+        });
+
         it('should call globalOptions.transport if specified', function() {
             this.sinon.stub(Raven, 'isSetup').returns(true);
             this.sinon.stub(Raven, '_getHttpData').returns({
@@ -1528,12 +1573,33 @@ describe('Raven (public API)', function() {
             assert.equal(Raven, Raven.config(SENTRY_DSN, {foo: 'bar'}), 'it should return Raven');
 
             assert.equal(Raven._globalKey, 'abc');
+            assert.equal(Raven._globalSecret, '');
             assert.equal(Raven._globalEndpoint, 'http://example.com:80/api/2/store/');
             assert.equal(Raven._globalOptions.foo, 'bar');
             assert.equal(Raven._globalProject, '2');
             assert.isTrue(Raven.isSetup());
         });
 
+        it('throw an Error if the DSN contains a private/secret key', function () {
+            assert.throws(function () {
+                Raven.config('http://abc:[email protected]:80/2');
+            }, Error);
+        });
+
+        it('will NOT throw an Error if the DSN contains a private/secret key AND allowPrivateKey is true', function () {
+            assert.equal(
+                Raven,
+                Raven.config('http://abc:[email protected]:80/2', {allowPrivateKey: true}),
+                'it should return Raven'
+            );
+
+            assert.equal(Raven._globalKey, 'abc');
+            assert.equal(Raven._globalSecret, 'def');
+            assert.equal(Raven._globalEndpoint, 'http://example.com:80/api/2/store/');
+            assert.equal(Raven._globalProject, '2');
+            assert.isTrue(Raven.isSetup());
+        });
+
         it('should work with a protocol relative DSN', function() {
             Raven.config('//[email protected]/2');