Consistent sending of auth keys

[rhcarvalho]

While working on #2553, I noticed that @sentry/browser does authentication via query string, while @sentry/node uses headers.

While we could send the same keys in both cases, we don't:

key	query string	headers
sentry_key	✅	✅
sentry_version	✅	✅
sentry_client	❌	✅
sentry_timestamp	❌	❌
sentry_secret	❌	❌

Investigate whether it makes any meaningful difference sending SDK name/version in sentry_client, since it is already part of the request body anyway.

[jan-auer]

It would be better to send sentry_client, since we use it as a fallback during event normalization and write it into the event payload. However, it's not critical for ingestion. If it's already part of the request, then you can safely omit it and get a shorter URL.

[rhcarvalho]

For the record:

sentry_client

@sentry/browser and @sentry/node always set the SDK information in the event payload. Thus, it seems okay to skip sentry_client as part of the auth info (as Jan says above).

sentry_timestamp

The timestamp for (error) events is never set, neither on the event payload nor the header/query string. That means JS events get their timestamps defaulted by Relay during normalization.

I think the SDKs should set the timestamp, tracking in #2573.

sentry_secret

The sentry_secret is never sent, contrary to the docs that suggest sending it when the DSN has a secret key. Since it's been like that for probably a long time, I think we can probably consider the secret key fully deprecated in the current version of the JS SDKs.

[jan-auer]

I think we can probably consider the secret key fully deprecated in the current version of the JS SDKs.

Agreed, the only reason it's still mentioned in docs is to support legacy Sentry servers that required the secret key for certain server-side SDKs. AFAIK, raven-node was not one of them.