ref: ensure Authenticator is exportable (#94955)

the custom JSON field needs to also properly encode for the django
serialization framework

resolves getsentry/self-hosted#3789

<!-- Describe your PR here. -->

Author: asottile-sentry

src/sentry/testutils/helpers/backups.py

@@ -15,8 +15,11 @@
 from django.apps import apps
 from django.db import connections, router
 from django.utils import timezone
+from fido2.ctap2 import AuthenticatorData
+from fido2.utils import sha256
 from sentry_relay.auth import generate_key_pair
 
+from sentry.auth.authenticators.u2f import create_credential_object
 from sentry.backup.crypto import LocalFileDecryptor, LocalFileEncryptor, decrypt_encrypted_tarball
 from sentry.backup.dependencies import (
     NormalizedModelName,
@@ -372,7 +375,38 @@ def create_exhaustive_user(
             first_seen=datetime(2012, 4, 5, 3, 29, 45, tzinfo=UTC),
             last_seen=datetime(2012, 4, 5, 3, 29, 45, tzinfo=UTC),
         )
-        Authenticator.objects.create(user=user, type=1, config={})
+        Authenticator.objects.create(
+            user=user,
+            type=1,
+            config={
+                "devices": [
+                    {
+                        "binding": {
+                            "publicKey": "publickey",
+                            "keyHandle": "aowerkoweraowerkkro",
+                            "appId": "https://dev.getsentry.net:8000/auth/2fa/u2fappid.json",
+                        },
+                        "name": "Sentry",
+                        "ts": 1512505334,
+                    },
+                    {
+                        "name": "Alert Escargot",
+                        "ts": 1512505334,
+                        "binding": AuthenticatorData.create(
+                            sha256(b"test"),
+                            0x41,
+                            1,
+                            create_credential_object(
+                                {
+                                    "publicKey": "webauthn",
+                                    "keyHandle": "webauthn",
+                                }
+                            ),
+                        ),
+                    },
+                ]
+            },
+        )
 
         if is_admin:
             self.add_user_permission(user, "users.admin")

src/sentry/users/models/authenticator.py

@@ -133,16 +133,18 @@ class AuthenticatorConfig(models.JSONField):
     def _is_devices_config(self, value: Any) -> bool:
         return isinstance(value, dict) and "devices" in value
 
-    def get_db_prep_value(self, value: Any, *args: Any, **kwargs: Any) -> Any:
+    def _encode_value(self, value: Any) -> Any:
         if self._is_devices_config(value):
             # avoid mutating the original object
             value = copy.deepcopy(value)
             for device in value["devices"]:
                 # AuthenticatorData is a non-json-serializable bytes subclass
                 if isinstance(device["binding"], AuthenticatorData):
                     device["binding"] = base64.b64encode(device["binding"]).decode()
+        return value
 
-        return super().get_db_prep_value(value, *args, **kwargs)
+    def get_db_prep_value(self, value: Any, *args: Any, **kwargs: Any) -> Any:
+        return super().get_db_prep_value(self._encode_value(value), *args, **kwargs)
 
     def from_db_value(
         self, value: str | None, expression: Expression, connection: BaseDatabaseWrapper
@@ -154,6 +156,9 @@ def from_db_value(
                     device["binding"] = AuthenticatorData(base64.b64decode(device["binding"]))
         return ret
 
+    def value_to_string(self, obj: models.Model) -> object:  # type: ignore[override]  # see typeddjango/django-stubs#2729
+        return self._encode_value(self.value_from_object(obj))
+
 
 @control_silo_model
 class Authenticator(ControlOutboxProducingModel):