github-advanced-security[bot] commented on code in PR #39604:
URL: https://github.com/apache/superset/pull/39604#discussion_r3237570512
##########
superset/mcp_service/auth.py:
##########
@@ -218,6 +220,25 @@
if access_token is None:
return None
+ # API key pass-through: CompositeTokenVerifier accepted this token
+ # at the transport layer but defers actual validation to
+ # _resolve_user_from_api_key() (priority 2 in get_user_from_request).
+ # Require client_id=="api_key" (set by CompositeTokenVerifier) in addition
+ # to the claim so that an external IdP JWT that happens to include the
+ # claim name is not misclassified as an API-key pass-through.
+ claims = getattr(access_token, "claims", None)
+ if isinstance(claims, dict) and claims.get(API_KEY_PASSTHROUGH_CLAIM):
+ if getattr(access_token, "client_id", None) == "api_key":
+ logger.debug(
+ "API key pass-through token detected, deferring to API key
auth"
+ )
+ return None
+ logger.debug(
+ "Ignoring %s claim on non-API-key token (client_id=%r); processing
as JWT",
+ API_KEY_PASSTHROUGH_CLAIM,
Review Comment:
## CodeQL / Clear-text logging of sensitive information
This expression logs [sensitive data (password)](1) as clear text.
This expression logs [sensitive data (password)](2) as clear text.
[Show more
details](https://github.com/apache/superset/security/code-scanning/2283)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
