You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2022/02/11 19:30:35 UTC

[GitHub] [superset] suddjian commented on a change in pull request #18651: feat(embedded): aud claim and type for guest token

suddjian commented on a change in pull request #18651:
URL: https://github.com/apache/superset/pull/18651#discussion_r804922012



##########
File path: superset/config.py
##########
@@ -1316,6 +1316,7 @@ def SQL_QUERY_MUTATOR(  # pylint: disable=invalid-name,unused-argument
 GUEST_TOKEN_JWT_ALGO = "HS256"
 GUEST_TOKEN_HEADER_NAME = "X-GuestToken"
 GUEST_TOKEN_JWT_EXP_SECONDS = 300  # 5 minutes
+GUEST_TOKEN_JWT_DECODE_AUDIENCE = None

Review comment:
       ```suggestion
   GUEST_TOKEN_JWT_AUDIENCE = None
   ```

##########
File path: superset/security/manager.py
##########
@@ -1308,6 +1309,7 @@ def create_guest_access_token(
         secret = current_app.config["GUEST_TOKEN_JWT_SECRET"]
         algo = current_app.config["GUEST_TOKEN_JWT_ALGO"]
         exp_seconds = current_app.config["GUEST_TOKEN_JWT_EXP_SECONDS"]
+        aud = current_app.config["GUEST_TOKEN_JWT_DECODE_AUDIENCE"] or get_url_host()

Review comment:
       ```suggestion
           aud = current_app.config["GUEST_TOKEN_JWT_AUDIENCE"] or get_url_host()
   ```

##########
File path: superset/security/manager.py
##########
@@ -1337,13 +1341,22 @@ def get_guest_user_from_request(self, req: Request) -> Optional[GuestUser]:
             return None
 
         try:
+            aud = (
+                current_app.config["GUEST_TOKEN_JWT_DECODE_AUDIENCE"] or get_url_host()

Review comment:
       ```suggestion
                   current_app.config["GUEST_TOKEN_JWT_AUDIENCE"] or get_url_host()
   ```

##########
File path: superset/security/manager.py
##########
@@ -1366,7 +1379,8 @@ def parse_jwt_guest_token(raw_token: str) -> Dict[str, Any]:
         """
         secret = current_app.config["GUEST_TOKEN_JWT_SECRET"]
         algo = current_app.config["GUEST_TOKEN_JWT_ALGO"]
-        return jwt.decode(raw_token, secret, algorithms=[algo])
+        aud = current_app.config["GUEST_TOKEN_JWT_DECODE_AUDIENCE"] or get_url_host()

Review comment:
       ```suggestion
           aud = current_app.config["GUEST_TOKEN_JWT_AUDIENCE"] or get_url_host()
   ```

##########
File path: superset/config.py
##########
@@ -1316,6 +1316,7 @@ def SQL_QUERY_MUTATOR(  # pylint: disable=invalid-name,unused-argument
 GUEST_TOKEN_JWT_ALGO = "HS256"
 GUEST_TOKEN_HEADER_NAME = "X-GuestToken"
 GUEST_TOKEN_JWT_EXP_SECONDS = 300  # 5 minutes
+GUEST_TOKEN_JWT_DECODE_AUDIENCE = None

Review comment:
       Since it's used both in encoding and decoding.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org