codeant-ai-for-open-source[bot] commented on PR #38747:
URL: https://github.com/apache/superset/pull/38747#issuecomment-4091502487
## **Sequence Diagram**
This PR changes MCP authentication to resolve the user from per-request JWT
context before any shared Flask state. It also clears stale g.user at the start
of each tool call and fails closed when a JWT user does not exist in the
database.
```mermaid
sequenceDiagram
participant Tool as MCP Tool Call
participant Hook as Auth Hook
participant Auth as User Resolver
participant DB as Superset Database
Tool->>Hook: Invoke tool
Hook->>Hook: Clear stale g.user
Hook->>Auth: Resolve current user
alt JWT context available
Auth->>DB: Load user from JWT claims
DB-->>Auth: User found or missing
alt User missing
Auth-->>Hook: Raise authentication error
else User found
Auth-->>Hook: Return JWT user
end
else No JWT context
Auth-->>Hook: Fallback to MCP_DEV_USERNAME then g.user
end
Hook->>Tool: Execute as resolved user
```
---
*Generated by [CodeAnt AI](https://codeant.ai)*
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
