feat(core)!: Stop setting user in requestDataIntegration

This was an express-specific, rather undocumented behavior, and also conflicted with our privacy-by-default stance.

Starting in v9, you'll need to manually call `Sentry.setUser()` e.g. in a middleware to set the user on Sentry events.

Docs for this are already pending: getsentry/sentry-docs#12224

Author: mydea

docs/migration/v8-to-v9.md

@@ -84,6 +84,8 @@ In v9, an `undefined` value will be treated the same as if the value is not defi
 
 - When `skipOpenTelemetrySetup: true` is configured, `httpIntegration({ spans: false })` will be configured by default. This means that you no longer have to specify this yourself in this scenario. With this change, no spans are emitted once `skipOpenTelemetrySetup: true` is configured, without any further configuration being needed.
 
+- The `requestDataIntegration` will no longer automatically set the user from `request.user`. This is an express-specific, undocumented behavior, and also conflicts with our privacy-by-default strategy. Starting in v9, you'll need to manually call `Sentry.setUser()` e.g. in a middleware to set the user on Sentry events.
+
 ### `@sentry/browser`
 
 - The `captureUserFeedback` method has been removed. Use `captureFeedback` instead and update the `comments` field to `message`.
@@ -128,6 +130,8 @@ Sentry.init({
 });
 ```
 
+- The `DEFAULT_USER_INCLUDES` constant has been removed.
+
 ### `@sentry/react`
 
 - The `wrapUseRoutes` method has been removed. Use `wrapUseRoutesV6` or `wrapUseRoutesV7` instead depending on what version of react router you are using.

packages/astro/src/index.server.ts

@@ -33,7 +33,6 @@ export {
   cron,
   dataloaderIntegration,
   dedupeIntegration,
-  DEFAULT_USER_INCLUDES,
   defaultStackParser,
   endSession,
   expressErrorHandler,

packages/aws-serverless/src/index.ts

@@ -44,7 +44,6 @@ export {
   getSentryRelease,
   // eslint-disable-next-line deprecation/deprecation
   addRequestDataToEvent,
-  DEFAULT_USER_INCLUDES,
   // eslint-disable-next-line deprecation/deprecation
   extractRequestData,
   createGetModuleFromFilename,

packages/bun/src/index.ts

@@ -64,7 +64,6 @@ export {
   getSentryRelease,
   // eslint-disable-next-line deprecation/deprecation
   addRequestDataToEvent,
-  DEFAULT_USER_INCLUDES,
   // eslint-disable-next-line deprecation/deprecation
   extractRequestData,
   createGetModuleFromFilename,

packages/core/src/integrations/requestdata.ts

@@ -17,13 +17,6 @@ export type RequestDataIntegrationOptions = {
     ip?: boolean;
     query_string?: boolean;
     url?: boolean;
-    user?:
-      | boolean
-      | {
-          id?: boolean;
-          username?: boolean;
-          email?: boolean;
-        };
   };
 
   /**
@@ -41,11 +34,6 @@ const DEFAULT_OPTIONS = {
     ip: false,
     query_string: true,
     url: true,
-    user: {
-      id: true,
-      username: true,
-      email: true,
-    },
   },
   transactionNamingScheme: 'methodPath' as const,
 };
@@ -59,14 +47,6 @@ const _requestDataIntegration = ((options: RequestDataIntegrationOptions = {}) =
     include: {
       ...DEFAULT_OPTIONS.include,
       ...options.include,
-      user:
-        options.include && typeof options.include.user === 'boolean'
-          ? options.include.user
-          : {
-              ...DEFAULT_OPTIONS.include.user,
-              // Unclear why TS still thinks `options.include.user` could be a boolean at this point
-              ...((options.include || {}).user as Record<string, boolean>),
-            },
     },
   };
 
@@ -87,9 +67,8 @@ const _requestDataIntegration = ((options: RequestDataIntegrationOptions = {}) =
       if (normalizedRequest) {
         // Some other data is not available in standard HTTP requests, but can sometimes be augmented by e.g. Express or Next.js
         const ipAddress = request ? request.ip || (request.socket && request.socket.remoteAddress) : undefined;
-        const user = request ? request.user : undefined;
 
-        addNormalizedRequestDataToEvent(event, normalizedRequest, { ipAddress, user }, addRequestDataOptions);
+        addNormalizedRequestDataToEvent(event, normalizedRequest, { ipAddress }, addRequestDataOptions);
         return event;
       }
 
@@ -118,7 +97,7 @@ function convertReqDataIntegrationOptsToAddReqDataOpts(
   const {
     // eslint-disable-next-line deprecation/deprecation
     transactionNamingScheme,
-    include: { ip, user, ...requestOptions },
+    include: { ip, ...requestOptions },
   } = integrationOptions;
 
   const requestIncludeKeys: string[] = ['method'];
@@ -128,25 +107,9 @@ function convertReqDataIntegrationOptsToAddReqDataOpts(
     }
   }
 
-  let addReqDataUserOpt;
-  if (user === undefined) {
-    addReqDataUserOpt = true;
-  } else if (typeof user === 'boolean') {
-    addReqDataUserOpt = user;
-  } else {
-    const userIncludeKeys: string[] = [];
-    for (const [key, value] of Object.entries(user)) {
-      if (value) {
-        userIncludeKeys.push(key);
-      }
-    }
-    addReqDataUserOpt = userIncludeKeys;
-  }
-
   return {
     include: {
       ip,
-      user: addReqDataUserOpt,
       request: requestIncludeKeys.length !== 0 ? requestIncludeKeys : undefined,
       transaction: transactionNamingScheme,
     },

packages/core/src/utils-hoist/index.ts

@@ -66,7 +66,6 @@ export type { PromiseBuffer } from './promisebuffer';
 
 // TODO: Remove requestdata export once equivalent integration is used everywhere
 export {
-  DEFAULT_USER_INCLUDES,
   addNormalizedRequestDataToEvent,
   // eslint-disable-next-line deprecation/deprecation
   addRequestDataToEvent,

packages/core/src/utils-hoist/requestdata.ts

@@ -22,10 +22,8 @@ import { getClientIPAddress, ipHeaderNames } from './vendor/getIpAddress';
 const DEFAULT_INCLUDES = {
   ip: false,
   request: true,
-  user: true,
 };
 const DEFAULT_REQUEST_INCLUDES = ['cookies', 'data', 'headers', 'method', 'query_string', 'url'];
-export const DEFAULT_USER_INCLUDES = ['id', 'username', 'email'];
 
 /**
  * Options deciding what parts of the request to use when enhancing an event
@@ -38,7 +36,6 @@ export type AddRequestDataToEventOptions = {
     /** @deprecated This option will be removed in v9. It does not do anything anymore, the `transcation` is set in other places. */
     // eslint-disable-next-line deprecation/deprecation
     transaction?: boolean | 'path' | 'methodPath' | 'handler';
-    user?: boolean | Array<(typeof DEFAULT_USER_INCLUDES)[number]>;
   };
 
   /** Injected platform-specific dependencies */
@@ -103,24 +100,6 @@ export function extractPathForTransaction(
   return [name, source];
 }
 
-function extractUserData(
-  user: {
-    [key: string]: unknown;
-  },
-  keys: boolean | string[],
-): { [key: string]: unknown } {
-  const extractedUser: { [key: string]: unknown } = {};
-  const attributes = Array.isArray(keys) ? keys : DEFAULT_USER_INCLUDES;
-
-  attributes.forEach(key => {
-    if (user && key in user) {
-      extractedUser[key] = user[key];
-    }
-  });
-
-  return extractedUser;
-}
-
 /**
  * Normalize data from the request object, accounting for framework differences.
  *
@@ -260,7 +239,7 @@ export function addNormalizedRequestDataToEvent(
   event: Event,
   req: RequestEventData,
   // This is non-standard data that is not part of the regular HTTP request
-  additionalData: { ipAddress?: string; user?: Record<string, unknown> },
+  additionalData: { ipAddress?: string },
   options: AddRequestDataToEventOptions,
 ): void {
   const include = {
@@ -282,20 +261,6 @@ export function addNormalizedRequestDataToEvent(
     };
   }
 
-  if (include.user) {
-    const extractedUser =
-      additionalData.user && isPlainObject(additionalData.user)
-        ? extractUserData(additionalData.user, include.user)
-        : {};
-
-    if (Object.keys(extractedUser).length) {
-      event.user = {
-        ...extractedUser,
-        ...event.user,
-      };
-    }
-  }
-
   if (include.ip) {
     const ip = (req.headers && getClientIPAddress(req.headers)) || additionalData.ipAddress;
     if (ip) {
@@ -343,17 +308,6 @@ export function addRequestDataToEvent(
     };
   }
 
-  if (include.user) {
-    const extractedUser = req.user && isPlainObject(req.user) ? extractUserData(req.user, include.user) : {};
-
-    if (Object.keys(extractedUser).length) {
-      event.user = {
-        ...event.user,
-        ...extractedUser,
-      };
-    }
-  }
-
   // client ip:
   //   node, nextjs: req.socket.remoteAddress
   //   express, koa: req.ip

packages/google-cloud-serverless/src/index.ts

@@ -44,7 +44,6 @@ export {
   getSentryRelease,
   // eslint-disable-next-line deprecation/deprecation
   addRequestDataToEvent,
-  DEFAULT_USER_INCLUDES,
   // eslint-disable-next-line deprecation/deprecation
   extractRequestData,
   createGetModuleFromFilename,

packages/node/src/index.ts

@@ -55,7 +55,7 @@ export { cron } from './cron';
 export type { NodeOptions } from './types';
 
 // eslint-disable-next-line deprecation/deprecation
-export { addRequestDataToEvent, DEFAULT_USER_INCLUDES, extractRequestData } from '@sentry/core';
+export { addRequestDataToEvent, extractRequestData } from '@sentry/core';
 
 export {
   // This needs exporting so the NodeClient can be used without calling init

packages/remix/src/index.server.ts

@@ -36,7 +36,6 @@ export {
   createTransport,
   cron,
   dedupeIntegration,
-  DEFAULT_USER_INCLUDES,
   defaultStackParser,
   endSession,
   expressErrorHandler,

packages/solidstart/src/server/index.ts

@@ -28,7 +28,6 @@ export {
   createTransport,
   cron,
   dedupeIntegration,
-  DEFAULT_USER_INCLUDES,
   defaultStackParser,
   endSession,
   expressErrorHandler,

packages/sveltekit/src/server/index.ts

@@ -28,7 +28,6 @@ export {
   createTransport,
   cron,
   dedupeIntegration,
-  DEFAULT_USER_INCLUDES,
   defaultStackParser,
   endSession,
   expressErrorHandler,