rusackas commented on PR #39645: URL: https://github.com/apache/superset/pull/39645#issuecomment-4434560081
Approved CI 🤞 A couple things to note: 1) No tests are added or updated. Security fixes like this should come with unit tests that explicitly verify the alg: none rejection and the missing-exp rejection. 2) There's no mention of whether the underlying JWT library (python-jose / joserfc) already handles these cases — if it does, some of these checks may be redundant or even incorrect in edge cases. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
