rusackas opened a new pull request, #36410: URL: https://github.com/apache/superset/pull/36410
## Summary This PR fixes a longstanding issue where JWT authentication didn't work with the `/api/v1/me` endpoints, causing 401 errors even with valid JWT tokens. The root cause was that the endpoints relied on Flask's `g.user` being set, but there was no mechanism to populate it from JWT tokens in API requests. The `@protect()` decorator from Flask-AppBuilder properly handles both session-based and JWT-based authentication. ## Changes - Add `@protect()` decorator to handle both session and JWT authentication - Add `@permission_name()` decorators for proper permission management - Remove redundant authentication checks now handled by `@protect()` - Add `allow_browser_login = True` for consistency with other APIs ## Testing Instructions 1. Obtain a JWT token via `/api/v1/security/login` 2. Use the JWT token in the Authorization header: `Bearer <token>` 3. Call `/api/v1/me` - should now return user info (previously returned 401) 4. Call `/api/v1/me/roles/` - should now return user roles (previously returned 401) 5. Session-based authentication should continue to work as before ## Fixes Fixes: #19525 ## Additional Information - No breaking changes - this is a bug fix that makes JWT auth work as intended - Permissions are handled automatically by Flask-AppBuilder - Follows the same pattern as other Superset APIs 🤖 Generated with [Claude Code](https://claude.ai/code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
