From f947d50600ed06975b20a978a3254852796e90b4 Mon Sep 17 00:00:00 2001
From: lcian <17258265+lcian@users.noreply.github.com>
Date: Thu, 30 Apr 2026 10:30:06 +0200
Subject: [PATCH 1/3] fix(snapshots): Remove Sentry auth token from objectstore
 client

The objectstore client was injecting the user's Sentry auth token as a
default Authorization header on all requests. Since the objectstore URL
comes from the server API response and can point to external storage
hosts (S3, GCS, etc.), this leaked the Sentry token to third-party
services. The objectstore already authenticates via its own auth_token
field (x-os-auth header), making the Sentry token unnecessary.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/commands/build/snapshots.rs | 18 ++----------------
 1 file changed, 2 insertions(+), 16 deletions(-)

diff --git a/src/commands/build/snapshots.rs b/src/commands/build/snapshots.rs
index 2b2840779b..c12b8a465a 100644
--- a/src/commands/build/snapshots.rs
+++ b/src/commands/build/snapshots.rs
@@ -18,7 +18,7 @@ use sha2::{Digest as _, Sha256};
 use walkdir::WalkDir;
 
 use crate::api::{Api, CreateSnapshotResponse, ImageMetadata, SnapshotsManifest};
-use crate::config::{Auth, Config};
+use crate::config::Config;
 use crate::utils::args::ArgExt as _;
 use crate::utils::build_vcs::collect_git_metadata;
 use crate::utils::ci::is_ci;
@@ -336,22 +336,8 @@ fn upload_images(
     if let Some(token) = options.objectstore.auth_token {
         builder = builder.token(token.expose_secret().to_owned());
     }
-    let builder = builder;
-
-    let sentry_token = match authenticated_api.auth() {
-        Auth::Token(token) => token.raw().expose_secret().to_owned(),
-    };
-    let sentry_token = format!("Bearer {sentry_token}")
-        .parse()
-        // Ignore original error to avoid leaking the token (even though it's invalid)
-        .map_err(|_| anyhow::anyhow!("Invalid auth token"))?;
     let client = builder
-        .configure_reqwest(|r| {
-            let mut headers = http::HeaderMap::new();
-            headers.insert(http::header::AUTHORIZATION, sentry_token);
-            r.connect_timeout(Duration::from_secs(10))
-                .default_headers(headers)
-        })
+        .configure_reqwest(|r| r.connect_timeout(Duration::from_secs(10)))
         .build()?;
 
     let scopes = options.objectstore.scopes;

From 96bf2feaec1f67a91aafa8a4961fe88b06e30642 Mon Sep 17 00:00:00 2001
From: lcian <17258265+lcian@users.noreply.github.com>
Date: Thu, 30 Apr 2026 10:34:56 +0200
Subject: [PATCH 2/3] fix(snapshots): Remove dead auth() method and add
 changelog

The auth() method on AuthenticatedApi no longer has any callers after
removing the token leak. CI builds with -Dwarnings, which promotes
the dead_code warning to a compilation error.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 CHANGELOG.md   | 6 ++++++
 src/api/mod.rs | 8 --------
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index eb492446db..bc9ab8e34f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog
 
+## Unreleased
+
+### Security
+
+- (snapshots) Stop sending Sentry auth token to external objectstore hosts during build snapshot uploads ([#3286](https://github.com/getsentry/sentry-cli/pull/3286))
+
 ## 3.4.1
 
 ### Improvements
diff --git a/src/api/mod.rs b/src/api/mod.rs
index ea3d5eb279..b53e034953 100644
--- a/src/api/mod.rs
+++ b/src/api/mod.rs
@@ -450,14 +450,6 @@ impl AuthenticatedApi<'_> {
         self.api.request(method, url, None)
     }
 
-    /// Returns the auth info for use in external service authorization.
-    pub fn auth(&self) -> &Auth {
-        self.api
-            .config
-            .get_auth()
-            .expect("AuthenticatedApi can only be constructed when auth exists")
-    }
-
     // High-level method implementations
 
     /// Performs an API request to verify the authentication status of the

From ae9992885a7756b98f8c5bd40200b89e6b27207f Mon Sep 17 00:00:00 2001
From: lcian <17258265+lcian@users.noreply.github.com>
Date: Thu, 30 Apr 2026 10:37:56 +0200
Subject: [PATCH 3/3] changelog

---
 CHANGELOG.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bc9ab8e34f..b9bfd983d5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,9 +2,9 @@
 
 ## Unreleased
 
-### Security
+### Fixes
 
-- (snapshots) Stop sending Sentry auth token to external objectstore hosts during build snapshot uploads ([#3286](https://github.com/getsentry/sentry-cli/pull/3286))
+- (snapshots) Stop sending Sentry auth token to Objectstore ([#3286](https://github.com/getsentry/sentry-cli/pull/3286))
 
 ## 3.4.1