sha174n opened a new pull request, #39999: URL: https://github.com/apache/superset/pull/39999
### SUMMARY When `EMBEDDED_SUPERSET` is enabled, Superset uses a dedicated `GUEST_TOKEN_JWT_SECRET` to sign guest tokens. The default value for this secret (`test-guest-secret-change-me`) is publicly known and must be changed before deploying to production. Previously Superset would start normally even with the default secret, silently allowing guest tokens to be forged by anyone who knows the default value. This PR adds a startup check (`check_guest_token_secret()`) that: - Does nothing when `EMBEDDED_SUPERSET` is disabled (no impact on standard deployments) - Logs a prominent warning when the default secret is detected - Exits with an error in non-debug/non-test environments, refusing to start This matches the existing pattern used by `check_secret_key()` for `SECRET_KEY`. Additionally, the `has_guest_access()` method in `security/manager.py` is updated to short-circuit early when a dashboard has no embedded config, avoiding unnecessary iteration over the resource list. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF N/A — backend-only change. ### TESTING INSTRUCTIONS 1. Enable `EMBEDDED_SUPERSET` in config and leave `GUEST_TOKEN_JWT_SECRET` at its default value — server should refuse to start with a clear error message. 2. Enable `EMBEDDED_SUPERSET` and set `GUEST_TOKEN_JWT_SECRET` to a custom random value — server should start normally. 3. Standard deployment (no `EMBEDDED_SUPERSET`) — no behavior change. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration - [ ] Introduces new feature or API - [ ] Removes existing feature or API -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
