Re: [PR] fix(async-query): prevent JWT InvalidSubjectError for guest users [superset]

Wed, 11 Feb 2026 02:45:21 -0800 


bito-code-review[bot] commented on code in PR #37862:
URL: https://github.com/apache/superset/pull/37862#discussion_r2792582297


##########
tests/unit_tests/async_events/async_query_manager_tests.py:
##########
@@ -122,6 +122,58 @@ def test_submit_chart_data_job_as_guest_user(
     job_mock.reset_mock()  # Reset the mock for the next iteration
 
 
+def test_parse_channel_id_from_request_sub_none(async_query_manager):
+    """Regression: token with sub=None must not break parse (PyJWT 2.10.1+)."""
+    encoded_token = encode(
+        {"channel": "test_channel_id", "sub": None},
+        JWT_TOKEN_SECRET,
+        algorithm="HS256",
+    )
+
+    request = Mock()
+    request.cookies = {JWT_TOKEN_COOKIE_NAME: encoded_token}
+
+    with raises(AsyncQueryTokenException):
+        async_query_manager.parse_channel_id_from_request(request)
+
+
+def test_validate_session_guest_user_creates_valid_token(async_query_manager):
+    """Regression: validate_session must create decodable tokens when user_id 
is None."""
+    from flask import Flask
+
+    async_query_manager._jwt_cookie_secure = False
+    async_query_manager._jwt_cookie_domain = None
+    async_query_manager._jwt_cookie_samesite = "Lax"
+
+    app = Flask(__name__)
+    app.secret_key = "test"

Review Comment:
   <div>
   
   
   <div id="suggestion">
   <div id="issue"><b>Hardcoded password string in code</b></div>
   <div id="fix">
   
   Hardcoded secret key `"test"` detected on line 149. Use environment 
variables or secure configuration management instead of hardcoding secrets.
   </div>
   
   
   <details>
   <summary>
   <b>Code suggestion</b>
   </summary>
   <blockquote>Check the AI-generated fix before applying</blockquote>
   <div id="code">
   
   
   ````suggestion
       app = Flask(__name__)
       app.secret_key = "test_secret_key_for_testing"  # noqa: S105
   ````
   
   </div>
   </details>
   
   
   
   </div>
   
   
   
   
   <small><i>Code Review Run #0e1204</i></small>
   </div>
   
   ---
   Should Bito avoid suggestions like this for future reviews? (<a 
href=https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules</a>)
   - [ ] Yes, avoid them



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to