This is an automated email from the ASF dual-hosted git repository. aminghadersohi pushed a commit to branch work-pr-39604 in repository https://gitbox.apache.org/repos/asf/superset.git
commit 0fb6ee5b3c0fc627602dfd55d4c810caf103d671 Author: Amin Ghadersohi <[email protected]> AuthorDate: Thu May 14 19:08:34 2026 +0000 fix(mcp): normalize FAB_API_KEY_PREFIXES from config before passing to CompositeTokenVerifier A plain string value (e.g. FAB_API_KEY_PREFIXES = "sst_") would iterate as individual characters ['s','s','t','_'], matching far too many tokens. Wrap strings in a list at the config-read boundary so CompositeTokenVerifier always receives a proper sequence regardless of how the config is set. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> --- superset/mcp_service/mcp_config.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/superset/mcp_service/mcp_config.py b/superset/mcp_service/mcp_config.py index 413132a0a91..9b06d5ecb41 100644 --- a/superset/mcp_service/mcp_config.py +++ b/superset/mcp_service/mcp_config.py @@ -346,7 +346,13 @@ def create_default_mcp_auth_factory(app: Flask) -> Optional[Any]: return None if api_key_enabled: - api_key_prefixes = app.config.get("FAB_API_KEY_PREFIXES", ["sst_"]) + raw_prefixes = app.config.get("FAB_API_KEY_PREFIXES", ["sst_"]) + # Normalize: a plain string (e.g. "sst_") would iterate as characters; + # wrap it in a list so CompositeTokenVerifier receives a proper sequence. + if isinstance(raw_prefixes, str): + api_key_prefixes = [raw_prefixes] + else: + api_key_prefixes = list(raw_prefixes) logger.info("API key auth enabled for MCP") return CompositeTokenVerifier( jwt_verifier=jwt_verifier,
