Vitor-Avila opened a new pull request, #37398: URL: https://github.com/apache/superset/pull/37398
### SUMMARY Follow up to https://github.com/apache/superset/pull/37350, implements more OAuth2 fixes: * The `start_oauth2_dance` method was not respecting a `DATABASE_OAUTH2_REDIRECT_URI` value. * Fixed the connection creation process for GSheets, by checking the presence of `oauth2_client_info` in both `parameters` (used for the `/validate_parameters/` calls) and also in `masked_encrypted_extra` (used when creating/updating the connection). * Added OAuth2 secret to the sensitive fields for GSheets. * Improved the `needs_oauth2` validation for GSheets to account for revoked tokens. * Improved the `get_oauth2_fresh_token` method for GSheets to `raise` when trying to use a refresh token from a revoked token. * Improved the `get_table_names` method for GSheets with OAuth2 connections. The list of tables now will only be visible after the user has a valid OAuth2 token. **Note that the list of tables is unfiltered, but the user can only see the actual data from tables they have access to**. * Added logic to the OAuth2 flow to delete an expired token in case its refresh token fails. This should allow end users to create a new OAuth2 token. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF **Before:** Users could list all tables even before authenticating. https://github.com/user-attachments/assets/86584d7b-5e26-4234-b928-61c351b71b27 **After:** Users can only list tables after authenticating. https://github.com/user-attachments/assets/7eb29222-937a-40cc-b6eb-29d9179e0caa ### TESTING INSTRUCTIONS Test coverage added. For manual testing: 1. Create an OAuth2 connection for GSheets. 2. Confirm you can't get the list of tables before going through the OAuth2 flow. 3. Authenticate and run a query. 4. In your Google account settings, revoke the app perms. 5. Try querying anything in Superset, and validate that the OAuth2 prompt is successfully visible again. 6. Authenticate again, and confirm it works. 7. In your Google account settings, revoke the app perms once again. 8. Manually edit the expiration time of the OAuth token in the DB, and try running a new query. 9. Try executing anything in Superset. Confirm you're prompted to create a new OAuth2 token. ### ADDITIONAL INFORMATION <!--- Check any relevant boxes with "x" --> <!--- HINT: Include "Fixes #nnn" if you are fixing an existing issue --> - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [ ] Migration is atomic, supports rollback & is backwards-compatible - [ ] Confirm DB migration upgrade and downgrade tested - [ ] Runtime estimates and downtime expectations provided - [ ] Introduces new feature or API - [ ] Removes existing feature or API -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
