Re: [PR] feat(auth): implement password change API for AUTH_DB authentication [superset]

via GitHub Thu, 07 May 2026 22:18:56 -0700


bito-code-review[bot] commented on code in PR #39469:
URL: https://github.com/apache/superset/pull/39469#discussion_r3206436683



##########
superset/views/users/schemas.py:
##########
@@ -15,16 +15,15 @@
 # specific language governing permissions and limitations
 # under the License.
 from flask_appbuilder.security.sqla.apis.user.schema import User
-from flask_appbuilder.security.sqla.apis.user.validator import (
-    PasswordComplexityValidator,
-)
-from marshmallow import fields, Schema
+from marshmallow import fields, Schema, validates_schema, ValidationError
 from marshmallow.fields import Boolean, Integer, String
 from marshmallow.validate import Length

Review Comment:
   <div>
   
   
   <div id="suggestion">
   <div id="issue"><b>Missing Translation for Error Message</b></div>
   <div id="fix">
   
   The ValidationError message is user-facing (returned in API 400 responses) 
but not wrapped with a translation function, violating BITO rule [6516] for 
translatable user-facing text. This prevents localization support.
   </div>
   
   
   <details>
   <summary>
   <b>Code suggestion</b>
   </summary>
   <blockquote>Check the AI-generated fix before applying</blockquote>
   <div id="code">
   
   
   ````suggestion
    from marshmallow.validate import Length
    from flask_babel import lazy_gettext as _
   ````
   
   </div>
   </details>
   
   
   
   </div>
   
   
   
   
   <small><i>Code Review Run #eab5b7</i></small>
   </div>
   
   ---
   Should Bito avoid suggestions like this for future reviews? (<a 
href=https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules</a>)
   - [ ] Yes, avoid them



##########
superset/views/users/api.py:
##########
@@ -163,6 +230,140 @@ def update_me(self) -> Response:
         except ValidationError as error:
             return self.response_400(message=error.messages)
 
+    @expose("/password", methods=["PUT"])
+    @protect()
+    @permission_name("write")
+    @safe
+    @statsd_metrics
+    @event_logger.log_this_with_context(
+        action=lambda self, *args, **kwargs: 
f"{self.__class__.__name__}.put_password",
+        log_to_statsd=False,
+    )
+    @requires_json
+    @_rate_limit_me_password_change
+    def update_my_password(self) -> Response:
+        """Update the current user's password (AUTH_DB only)
+        ---
+        put:
+          summary: Update the current user's password
+          description: >-
+            Changes the authenticated user's password when ``AUTH_TYPE`` is 
``AUTH_DB``.
+            Requires the current password and a new password that satisfies 
``AUTH_DB_CONFIG``
+            policy.
+          requestBody:
+            required: true
+            content:
+              application/json:
+                schema:
+                  $ref: '#/components/schemas/CurrentUserPasswordPutSchema'
+          responses:
+            200:
+              description: Password updated successfully
+              content:
+                application/json:
+                  schema:
+                    type: object
+                    properties:
+                      result:
+                        $ref: '#/components/schemas/UserResponseSchema'
+            400:
+              $ref: '#/components/responses/400'
+            401:
+              $ref: '#/components/responses/401'
+            500:
+              $ref: '#/components/responses/500'
+        """
+        if app.config.get("AUTH_TYPE") != AUTH_DB:
+            return self.response_400(
+                message=(
+                    "Password change is only available when AUTH_TYPE is 
AUTH_DB."
+                ),
+            )
+        try:
+            body = self.current_user_password_put_schema.load(request.json or 
{})
+        except ValidationError as error:
+            return self.response_400(message=error.messages)
+
+        try:
+            validate_auth_db_password(body["new_password"])
+        except ValidationError as error:
+            return self.response_400(message=error.messages)
+
+        user_db = db.session.get(User, g.user.id)
+        if user_db is None:
+            return self.response_404()
+
+        old_hash = user_db.password
+        if not check_password_hash(old_hash, body["current_password"]):
+            return self.response_400(message="Incorrect current password.")
+
+        try:
+            new_hash = generate_password_hash(
+                password=body["new_password"],
+                method=get_auth_db_password_hash_method(),
+                salt_length=app.config.get("FAB_PASSWORD_HASH_SALT_LENGTH", 
16),
+            )
+        except ValidationError as error:
+            return self.response_400(message=error.messages)

Review Comment:
   <div>
   
   
   <div id="suggestion">
   <div id="issue"><b>Unreachable Exception Handler</b></div>
   <div id="fix">
   
   The except ValidationError block is unreachable because 
werkzeug.security.generate_password_hash does not raise ValidationError. This 
dead code should be removed to avoid confusion and maintain clean code.
   </div>
   
   
   </div>
   
   
   
   
   <small><i>Code Review Run #eab5b7</i></small>
   </div>
   
   ---
   Should Bito avoid suggestions like this for future reviews? (<a 
href=https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules</a>)
   - [ ] Yes, avoid them



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [PR] feat(auth): implement password change API for AUTH_DB authentication [superset]

Reply via email to