rusackas opened a new pull request, #38177: URL: https://github.com/apache/superset/pull/38177
## Summary PyJWT >= 2.10 enforces that the 'sub' claim must be a string, which breaks the `/api/v1/security/guest_token` and `/api/v1/security/csrf_token` endpoints when the subject is not a string, resulting in a 422 error with message "Subject must be string". This adds `JWT_VERIFY_SUB = False` to the default config to disable this verification until the upstream issue is resolved. **This is an adoption of #32244 by @hainenber**, rebased on current master. ## References - https://github.com/jpadilla/pyjwt/issues/1017 - https://github.com/dpgaspar/Flask-AppBuilder/issues/2287 ## Test plan - [ ] Verify Guest Token API works without 422 error - [ ] Verify CSRF token endpoint works correctly Closes #32241 Supersedes #32244 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: hainenber <[email protected]> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
