Bloga Dönindustry2026-05-2312 dk okuma
Musteri magic-link error sayfasinda gorundugunu soyledi — Sentry token redact eksikti (PR #657 IX F4)
Hatay Antakya Sarayonu uc-jenerasyon kebapci Antakya Kebap sahibi Veysel (47), loyalty programi magic-link auth ile calisiyor. Sadik musteri Damla email: "Veysel Bey, magic-link tikladim hata sayfasi geldi ama URL deki token im net gorunuyordu ve sayfa bu hata thMenu ya gonderildi diyordu — guvenli mi?" Veysel thMenu support a forward etti. Forensik: Sentry dashboard /api/customer/magic-link/verify endpoint i icin 30 gunde 8.400+ error report. Her report context: request.url tam token raw kayitli. 8.400 magic-link token gorunur Sentry de. Cogu expired 24h TTL ama recently-failed tokens 30 dakika icinde HALA valid olabilir — Sentry erisimi olan kotu-niyetli kisi (dev, contractor, Sentry breach attacker) o pencerede token redeem edip customer account takeover yapabilirdi. Defense-in-depth gap. Sentry diger context capture lar da inspect edildi: breadcrumbs (navigation URL tokenli), Referer header (some requests), error stack trace (URL concatenation icermesi durumunda). Sentry default auto-redact credit card + SSN regex tanir, magic-link token gibi custom pattern HIC tanimlanmamis. **PR #657 batch IX F4** iki katmanli fix: (1) Sentry beforeSend hook event mutation: regex `/([?&])(token|magic_link_token|otp|verify_token|session_token|api_key|signature|secret)=[a-zA-Z0-9_-]+/gi` URL i replace eder. (2) Breadcrumbs aynı regex ile mapped. URL Sentry e [REDACTED] gider, token client tarafindan asla cikmaz. 4 SDK setup (web-menu, web-admin, web-affiliate, web-superadmin) parallel shipped. Historical 8.400 entry Sentry event scrubbing API ile retroactive cleaned. Damla a Veysel cevap: "Endisen yerindeydi, duzelttik, token Sentry ye HIC gitmiyor artik. 24h TTL email inbox tek security perimeter ama Sentry artik o guvenligi bypass etmiyor." Synaltix Veysel e 6-aylik Pro upgrade extra ay verdi. Pattern: sensitive credentials (magic-link, OTP, password-reset, session token, API key, OAuth bearer, JWT) error logging surface lerine (Sentry, Cloudflare Logpush, CloudWatch, Datadog, Logtail) HICBIR cevrede ulasmamali. Redaction her layer (URL, headers, breadcrumbs, stack trace, custom data). Audit checklist: URL regex tum sensitive query-param identifier; Headers Authorization+Cookie+Set-Cookie stripped; Breadcrumb URL redaction; Stack trace URL inspection; Custom data fields redaction policy.