This is an automated email from the ASF dual-hosted git repository. aminghadersohi pushed a commit to branch work-pr-39604 in repository https://gitbox.apache.org/repos/asf/superset.git
commit 7829eff6fcff89ef4bf0b39bfec02ae6490fd82e Author: Amin Ghadersohi <[email protected]> AuthorDate: Fri May 8 14:36:16 2026 -0400 refactor(mcp): hoist API key auth imports to module top The API_KEY_PASSTHROUGH_CLAIM constant in auth.py and CompositeTokenVerifier in mcp_config.py have no circular-import or optional-dependency reason to be imported inline. Moved them to module top. --- superset/mcp_service/auth.py | 10 ++-------- superset/mcp_service/mcp_config.py | 5 +---- 2 files changed, 3 insertions(+), 12 deletions(-) diff --git a/superset/mcp_service/auth.py b/superset/mcp_service/auth.py index 04b2e802a66..94b223aec08 100644 --- a/superset/mcp_service/auth.py +++ b/superset/mcp_service/auth.py @@ -51,6 +51,8 @@ from typing import Any, Callable, TYPE_CHECKING, TypeVar from flask import current_app, g, has_app_context, has_request_context from flask_appbuilder.security.sqla.models import Group, User +from superset.mcp_service.composite_token_verifier import API_KEY_PASSTHROUGH_CLAIM + if TYPE_CHECKING: from superset.connectors.sqla.models import SqlaTable from superset.mcp_service.chart.chart_utils import DatasetValidationResult @@ -288,10 +290,6 @@ def _resolve_user_from_jwt_context(app: Any) -> User | None: # API key pass-through: CompositeTokenVerifier accepted this token # at the transport layer but defers actual validation to # _resolve_user_from_api_key() (priority 2 in get_user_from_request). - from superset.mcp_service.composite_token_verifier import ( - API_KEY_PASSTHROUGH_CLAIM, - ) - claims = getattr(access_token, "claims", None) if isinstance(claims, dict) and claims.get(API_KEY_PASSTHROUGH_CLAIM): logger.debug("API key pass-through token detected, deferring to API key auth") @@ -361,10 +359,6 @@ def _resolve_user_from_api_key(app: Any) -> User | None: # Only validate tokens that the CompositeTokenVerifier flagged as # API key pass-throughs. Plain JWTs were already validated by the JWT # verifier and resolved in _resolve_user_from_jwt_context. - from superset.mcp_service.composite_token_verifier import ( - API_KEY_PASSTHROUGH_CLAIM, - ) - claims = getattr(access_token, "claims", None) if not (isinstance(claims, dict) and claims.get(API_KEY_PASSTHROUGH_CLAIM)): return None diff --git a/superset/mcp_service/mcp_config.py b/superset/mcp_service/mcp_config.py index 45b4bbd8eac..e70cd2b1ae7 100644 --- a/superset/mcp_service/mcp_config.py +++ b/superset/mcp_service/mcp_config.py @@ -22,6 +22,7 @@ from typing import Any, Dict, Optional from flask import Flask +from superset.mcp_service.composite_token_verifier import CompositeTokenVerifier from superset.mcp_service.constants import ( DEFAULT_TOKEN_LIMIT, DEFAULT_WARN_THRESHOLD_PCT, @@ -343,10 +344,6 @@ def create_default_mcp_auth_factory(app: Flask) -> Optional[Any]: return None if api_key_enabled: - from superset.mcp_service.composite_token_verifier import ( - CompositeTokenVerifier, - ) - api_key_prefixes = app.config.get("FAB_API_KEY_PREFIXES", ["sst_"]) logger.info("API key auth enabled for MCP") return CompositeTokenVerifier(
