[GitHub] [superset] suddjian commented on a change in pull request #18651: feat(embedded): aud claim and type for guest token

GitBox Fri, 11 Feb 2022 11:30:39 -0800


suddjian commented on a change in pull request #18651:
URL: https://github.com/apache/superset/pull/18651#discussion_r804922012




##########
File path: superset/config.py
##########
@@ -1316,6 +1316,7 @@ def SQL_QUERY_MUTATOR(  # pylint: 
disable=invalid-name,unused-argument
 GUEST_TOKEN_JWT_ALGO = "HS256"
 GUEST_TOKEN_HEADER_NAME = "X-GuestToken"
 GUEST_TOKEN_JWT_EXP_SECONDS = 300  # 5 minutes
+GUEST_TOKEN_JWT_DECODE_AUDIENCE = None

Review comment:
       ```suggestion
   GUEST_TOKEN_JWT_AUDIENCE = None
   ```

##########
File path: superset/security/manager.py
##########
@@ -1308,6 +1309,7 @@ def create_guest_access_token(
         secret = current_app.config["GUEST_TOKEN_JWT_SECRET"]
         algo = current_app.config["GUEST_TOKEN_JWT_ALGO"]
         exp_seconds = current_app.config["GUEST_TOKEN_JWT_EXP_SECONDS"]
+        aud = current_app.config["GUEST_TOKEN_JWT_DECODE_AUDIENCE"] or 
get_url_host()

Review comment:
       ```suggestion
           aud = current_app.config["GUEST_TOKEN_JWT_AUDIENCE"] or 
get_url_host()
   ```

##########
File path: superset/security/manager.py
##########
@@ -1337,13 +1341,22 @@ def get_guest_user_from_request(self, req: Request) -> 
Optional[GuestUser]:
             return None
 
         try:
+            aud = (
+                current_app.config["GUEST_TOKEN_JWT_DECODE_AUDIENCE"] or 
get_url_host()

Review comment:
       ```suggestion
                   current_app.config["GUEST_TOKEN_JWT_AUDIENCE"] or 
get_url_host()
   ```

##########
File path: superset/security/manager.py
##########
@@ -1366,7 +1379,8 @@ def parse_jwt_guest_token(raw_token: str) -> Dict[str, 
Any]:
         """
         secret = current_app.config["GUEST_TOKEN_JWT_SECRET"]
         algo = current_app.config["GUEST_TOKEN_JWT_ALGO"]
-        return jwt.decode(raw_token, secret, algorithms=[algo])
+        aud = current_app.config["GUEST_TOKEN_JWT_DECODE_AUDIENCE"] or 
get_url_host()

Review comment:
       ```suggestion
           aud = current_app.config["GUEST_TOKEN_JWT_AUDIENCE"] or 
get_url_host()
   ```

##########
File path: superset/config.py
##########
@@ -1316,6 +1316,7 @@ def SQL_QUERY_MUTATOR(  # pylint: 
disable=invalid-name,unused-argument
 GUEST_TOKEN_JWT_ALGO = "HS256"
 GUEST_TOKEN_HEADER_NAME = "X-GuestToken"
 GUEST_TOKEN_JWT_EXP_SECONDS = 300  # 5 minutes
+GUEST_TOKEN_JWT_DECODE_AUDIENCE = None

Review comment:
       Since it's used both in encoding and decoding.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[GitHub] [superset] suddjian commented on a change in pull request #18651: feat(embedded): aud claim and type for guest token

Reply via email to