fix(auth): bake public OAuth client ID as fallback in getClientId()

BYK · BYK · commit d7e43e9929df · 2026-05-05T11:37:38.000Z
The OAuth client ID is a public value — Device Authorization Grant (RFC 8628)
uses a public-client flow with no client secret. The value is already stored
as a plain repo variable (vars.SENTRY_CLIENT_ID) in CI, not a secret.

Committing it as DEFAULT_OAUTH_CLIENT_ID eliminates the .env.local requirement
for local development against sentry.io. The priority chain is unchanged:

  SENTRY_CLIENT_ID env var → SENTRY_CLIENT_ID_BUILD (build-time) → committed default

Self-hosted users still override via SENTRY_CLIENT_ID env var; production
release builds still inject via SENTRY_CLIENT_ID_BUILD — no behaviour change
for either path.
diff --git a/.env.example b/.env.example
@@ -1,5 +1,5 @@
 # Copy this to .env.local and fill in your values
-SENTRY_CLIENT_ID=your-sentry-oauth-client-id
+# SENTRY_CLIENT_ID=your-sentry-oauth-client-id  # Only needed for self-hosted or a custom OAuth app
 # SENTRY_URL=https://sentry.io  # Uncomment for self-hosted
 
 # Test credentials (for running E2E tests)
diff --git a/src/lib/oauth.ts b/src/lib/oauth.ts
@@ -43,11 +43,23 @@ function getSentryUrl(): string {
   return getConfiguredSentryUrl() ?? DEFAULT_SENTRY_URL;
 }
 
+/**
+ * Public OAuth client ID for sentry.io.
+ *
+ * Device Authorization Grant (RFC 8628) is a public-client flow — no client
+ * secret is involved, so this value is safe to commit. It is equivalent to the
+ * `SENTRY_CLIENT_ID` repo variable used by CI.
+ *
+ * Self-hosted instances must override this via the `SENTRY_CLIENT_ID` env var
+ * or the `SENTRY_CLIENT_ID_BUILD` build-time define.
+ */
+const DEFAULT_OAUTH_CLIENT_ID =
+  "1d673b81d60ef84c951359c36296972ca6fd41bd8f45acd2d3a783a3b3c28e41";
+
 /**
  * OAuth client ID
  *
- * Build-time: Injected via esbuild define: { SENTRY_CLIENT_ID_BUILD: "..." }
- * Runtime: Can be overridden via SENTRY_CLIENT_ID env var (for self-hosted)
+ * Priority: SENTRY_CLIENT_ID env var → SENTRY_CLIENT_ID_BUILD (build-time) → committed default
  *
  * Read at call time (not module load time) so tests can override SENTRY_CLIENT_ID
  * after module initialization.
@@ -60,7 +72,7 @@ function getClientId(): string {
     getEnv().SENTRY_CLIENT_ID ??
     (typeof SENTRY_CLIENT_ID_BUILD !== "undefined"
       ? SENTRY_CLIENT_ID_BUILD
-      : "")
+      : DEFAULT_OAUTH_CLIENT_ID)
   );
 }
 
