You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2022/02/11 19:30:35 UTC
[GitHub] [superset] suddjian commented on a change in pull request #18651: feat(embedded): aud claim and type for guest token
suddjian commented on a change in pull request #18651:
URL: https://github.com/apache/superset/pull/18651#discussion_r804922012
##########
File path: superset/config.py
##########
@@ -1316,6 +1316,7 @@ def SQL_QUERY_MUTATOR( # pylint: disable=invalid-name,unused-argument
GUEST_TOKEN_JWT_ALGO = "HS256"
GUEST_TOKEN_HEADER_NAME = "X-GuestToken"
GUEST_TOKEN_JWT_EXP_SECONDS = 300 # 5 minutes
+GUEST_TOKEN_JWT_DECODE_AUDIENCE = None
Review comment:
```suggestion
GUEST_TOKEN_JWT_AUDIENCE = None
```
##########
File path: superset/security/manager.py
##########
@@ -1308,6 +1309,7 @@ def create_guest_access_token(
secret = current_app.config["GUEST_TOKEN_JWT_SECRET"]
algo = current_app.config["GUEST_TOKEN_JWT_ALGO"]
exp_seconds = current_app.config["GUEST_TOKEN_JWT_EXP_SECONDS"]
+ aud = current_app.config["GUEST_TOKEN_JWT_DECODE_AUDIENCE"] or get_url_host()
Review comment:
```suggestion
aud = current_app.config["GUEST_TOKEN_JWT_AUDIENCE"] or get_url_host()
```
##########
File path: superset/security/manager.py
##########
@@ -1337,13 +1341,22 @@ def get_guest_user_from_request(self, req: Request) -> Optional[GuestUser]:
return None
try:
+ aud = (
+ current_app.config["GUEST_TOKEN_JWT_DECODE_AUDIENCE"] or get_url_host()
Review comment:
```suggestion
current_app.config["GUEST_TOKEN_JWT_AUDIENCE"] or get_url_host()
```
##########
File path: superset/security/manager.py
##########
@@ -1366,7 +1379,8 @@ def parse_jwt_guest_token(raw_token: str) -> Dict[str, Any]:
"""
secret = current_app.config["GUEST_TOKEN_JWT_SECRET"]
algo = current_app.config["GUEST_TOKEN_JWT_ALGO"]
- return jwt.decode(raw_token, secret, algorithms=[algo])
+ aud = current_app.config["GUEST_TOKEN_JWT_DECODE_AUDIENCE"] or get_url_host()
Review comment:
```suggestion
aud = current_app.config["GUEST_TOKEN_JWT_AUDIENCE"] or get_url_host()
```
##########
File path: superset/config.py
##########
@@ -1316,6 +1316,7 @@ def SQL_QUERY_MUTATOR( # pylint: disable=invalid-name,unused-argument
GUEST_TOKEN_JWT_ALGO = "HS256"
GUEST_TOKEN_HEADER_NAME = "X-GuestToken"
GUEST_TOKEN_JWT_EXP_SECONDS = 300 # 5 minutes
+GUEST_TOKEN_JWT_DECODE_AUDIENCE = None
Review comment:
Since it's used both in encoding and decoding.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org