Skip to content

fix(sentry): don't report settings-save input validation as errors#3068

Merged
vpetersson merged 1 commit into
masterfrom
anthias-3d-settings-validation
Jun 11, 2026
Merged

fix(sentry): don't report settings-save input validation as errors#3068
vpetersson merged 1 commit into
masterfrom
anthias-3d-settings-validation

Conversation

@vpetersson

@vpetersson vpetersson commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Issues Fixed

Sentry ANTHIAS-3D (AuthSettingsError: New passwords do not match!, culprit /settings/save/).

Description

AuthSettingsError is operator input validation from the settings-save flow — a mismatched or incorrect password, a username already taken, or a password that fails the strength validators. It is not a bug: the message is already shown to the operator and the next attempt self-corrects.

Both settings-save surfaces (the HTML view and the DRF v2 view) caught it under a broad except Exception followed by logger.exception(...). Sentry's logging integration turns that ERROR-level record into an event, so an operator typo pages us.

This fixes it at the source and adds a backstop:

  • Catch AuthSettingsError ahead of the generic handler in both settings_save (HTML) and DeviceSettingsViewV2.patch (DRF). Log it at warning (no traceback) instead of logger.exception — a WARNING record never becomes a Sentry event. The DRF view now also echoes the operator-friendly message instead of burying it under a generic "An error occurred while saving settings."
  • Add AuthSettingsError to the before_send drop filter as a backstop for any other code path that might log it as an error — this is the "ignore for similar things" net.
  • Spell auth.py's AnyRequest as an explicit TypeAlias. The implicit AnyRequest = HttpRequest | DRFRequest form flipped to mypy Variable … is not valid as a type once settings.py started importing the module for the filter; the explicit alias resolves the forward-ref robustly regardless of import order.
  • Regression tests for the before_send drop and for the warning-level, no-traceback v2 rejection (asserts 400 + the specific message, nothing persisted, and no ERROR/exc_info record).

This mirrors the same "expected transient/expected state, not a bug" treatment the before_send filter already gives redis blips and client disconnects.

Checklist

  • I have performed a self-review of my own code.
  • New and existing unit tests pass locally and on CI with my changes.
  • I have done an end-to-end test for Raspberry Pi devices.
  • I have tested my changes for x86 devices.
  • I added a documentation for the changes I have made (when necessary).

🤖 Generated with Claude Code

@vpetersson @claude
fix(sentry): don't report settings-save input validation as errors
9c6c6f8 
ANTHIAS-3D ("AuthSettingsError: New passwords do not match!") is
operator input validation, not a bug — a mismatched/incorrect
password, a taken username, or a too-weak password typed into the
settings form. Both settings-save surfaces caught it under a broad
`except Exception` + `logger.exception(...)`, and Sentry's logging
integration turns that ERROR record into an event.

- catch AuthSettingsError ahead of the generic handler in both the
  HTML view and the DRF v2 view; log it at warning (no traceback) so
  it never reaches the logging integration, and surface the
  operator-friendly message (the v2 view previously buried it under a
  generic "An error occurred")
- add AuthSettingsError to the before_send drop filter as a backstop
  for any other path that logs it as an error
- spell auth.py's AnyRequest as an explicit TypeAlias: the implicit
  form flipped to mypy "not valid as a type" once settings.py began
  importing the module
- regression tests for the before_send drop and the warning-level,
  no-traceback v2 rejection

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@vpetersson vpetersson requested a review from a team as a code owner June 11, 2026 10:52
@vpetersson vpetersson requested a review from Copilot June 11, 2026 10:53
@sonarqubecloud

sonarqubecloud Bot commented Jun 11, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 11, 2026
View reviewed changes
Comment thread src/anthias_server/api/views/v2.py Dismissed
Copilot AI reviewed Jun 11, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR reduces Sentry noise by treating AuthSettingsError from the settings-save flow as expected operator input validation (e.g., password mismatch, weak password, username taken) rather than a server error, while preserving operator-facing feedback and adding regression coverage.

Changes:

  • Catch AuthSettingsError explicitly in both the HTML settings save view and the v2 DRF PATCH endpoint, logging at WARNING (no traceback) and returning/printing the operator-friendly message.
  • Add AuthSettingsError to Sentry’s _sentry_before_send drop filter as a backstop.
  • Add regression tests verifying the before_send drop and that the v2 endpoint logs validation failures at WARNING without exc_info and persists nothing.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file
File Description
tests/test_sentry.py Adds coverage ensuring Sentry drops AuthSettingsError events via before_send.
src/anthias_server/lib/auth.py Refines typing for AnyRequest via explicit TypeAlias to keep mypy stable when imported from settings.
src/anthias_server/django_project/settings.py Drops AuthSettingsError in _sentry_before_send (lazy import) to prevent operator validation from becoming Sentry events.
src/anthias_server/app/views.py Handles AuthSettingsError separately in settings_save, logs WARNING, and shows operator-friendly message.
src/anthias_server/api/views/v2.py Handles AuthSettingsError separately in device settings PATCH, logs WARNING, and returns 400 with the specific message.
src/anthias_server/api/tests/test_v2_endpoints.py Adds regression test asserting 400 + message, no persistence, and no ERROR/exc_info logging for password mismatch.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@vpetersson vpetersson merged commit 4402ea4 into master Jun 11, 2026
10 checks passed
@vpetersson vpetersson mentioned this pull request Jun 11, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vpetersson @github-advanced-security