Re: [PR] fix(mcp): remove hardcoded admin username fallbacks [superset]

Tue, 28 Oct 2025 14:04:58 -0700 


bito-code-review[bot] commented on PR #35875:
URL: https://github.com/apache/superset/pull/35875#issuecomment-3458478400

   <details open>
     <summary><strong>Interaction Diagram by <a 
href="https://bito.ai#sequence_diagram";>Bito</a></strong></summary>
   
   ```mermaid
   sequenceDiagram
   participant Config as superset_config.py
   participant FlaskApp as Flask App<br/>🔄 Updated | ●●○ Medium
   participant MCPConfig as mcp_config.py<br/>🔄 Updated | ●●○ Medium
   participant Auth as auth.py<br/>🔄 Updated | ●●● High
   participant Hook as mcp_auth_hook<br/>🔄 Updated | ●●○ Medium
   participant Tool as MCPTool (list_charts)<br/>●●○ Low
   participant SecMgr as SecurityManager
   participant User as User Entity
   Config->>FlaskApp: Initialize with MCP_DEV_USERNAME
   FlaskApp->>MCPConfig: get_mcp_config(app.config)
   MCPConfig-->>FlaskApp: Return config dict
   Tool->>Hook: @mcp_auth_hook decorator
   Hook->>Auth: get_user_from_request()
   Auth->>Auth: current_app.config.get(MCP_DEV_USERNAME)
   Auth->>SecMgr: find_user(username)
   SecMgr->>User: Query user by username
   User-->>SecMgr: Return user object
   SecMgr-->>Auth: Return user
   Auth-->>Hook: Return user or raise ValueError
   Hook-->>Tool: Execute tool with authenticated user
   Note over Auth: Raises ValueError if username<br/>not configured or user not 
found
   ```
   Critical path: superset_config.py-&gt;Flask 
App-&gt;mcp_config.py-&gt;auth.py-&gt;SecurityManager-&gt;User Entity
   
   
   > **Note:** The diff refactors authentication to require explicit 
configuration of MCP_DEV_USERNAME in superset_config.py instead of defaulting 
to &#39;admin&#39;. The get_user_from_request() function now reads from Flask 
config and validates that both the username is configured and the user exists 
in the security manager, raising ValueError otherwise.
   
   </details>


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to