codeant-ai-for-open-source[bot] commented on code in PR #40201:
URL: https://github.com/apache/superset/pull/40201#discussion_r3256154768
##########
tests/integration_tests/security/api_tests.py:
##########
@@ -402,3 +403,36 @@ def test_get_roles_with_specific_test_data(self):
assert sorted(role2_api["user_ids"]) == role2_expected["user_ids"]
assert sorted(role2_api["permission_ids"]) ==
role2_expected["permission_ids"]
assert role2_api["group_ids"] == role2_expected["group_ids"]
+
+
+class TestLogoutSessionInvalidation(SupersetTestCase):
+ """Regression for #24713: a session cookie captured pre-logout must not
grant
+ access after the user logs out. The original report describes copying the
+ session cookie out, calling /logout/, and successfully reusing the cookie
in
+ a second browser to bypass authentication."""
+
+ def test_session_cookie_invalidated_after_logout(self):
+ self.login(ADMIN_USERNAME)
+
+ resp_authed = self.client.get("api/v1/dashboard/",
follow_redirects=False)
+ assert resp_authed.status_code == 200, (
+ f"Login did not yield an authenticated session "
+ f"(got {resp_authed.status_code})"
+ )
+
+ captured = {
+ c.name: c.value for c in self.client.cookie_jar if c.name ==
"session"
+ }
+ assert captured, "expected a session cookie after login"
+
+ self.client.get("/logout/", follow_redirects=True)
+
+ replay_client = app.test_client()
+ for name, value in captured.items():
+ replay_client.set_cookie("localhost", name, value)
Review Comment:
**Suggestion:** `set_cookie` is called with the old positional signature
(`server_name, key, value`), but this test suite already uses the newer
Flask/Werkzeug client signature (`key, value`, optional `domain=` kwarg). In
current environments this raises a `TypeError` and the regression test fails
before validating logout behavior. Update this call to the supported argument
contract. [api mismatch]
<details>
<summary><b>Severity Level:</b> Major ⚠️</summary>
```mdx
- ❌ Regression test errors before asserting session invalidation.
- ⚠️ Logout/session regression for #24713 remains unguarded.
```
</details>
<details>
<summary><b>Steps of Reproduction ✅ </b></summary>
```mdx
1. Run the regression test
`TestLogoutSessionInvalidation.test_session_cookie_invalidated_after_logout`
defined in
`tests/integration_tests/security/api_tests.py:408-437`, which logs in,
captures the
session cookie, and then attempts to replay it via a fresh test client.
2. During the replay step, the test constructs `replay_client =
app.test_client()` at
`tests/integration_tests/security/api_tests.py:430` and then calls
`replay_client.set_cookie("localhost", name, value)` at
`tests/integration_tests/security/api_tests.py:432`.
3. Elsewhere in the same test suite, the Flask test client is used with the
newer
`set_cookie` signature:
`self.client.set_cookie(app.config["GLOBAL_ASYNC_QUERIES_JWT_COOKIE_NAME"],
"")` at
`tests/integration_tests/async_events/api_tests.py:136` and
`test_client.set_cookie(app.config["GLOBAL_ASYNC_QUERIES_JWT_COOKIE_NAME"],
"foo")` at
`tests/integration_tests/charts/data/api_tests.py:897`, both passing only
`key, value`
without a `server_name` positional argument.
4. Under the current Flask/Werkzeug version (confirmed by these existing
tests using `key,
value` without failure), `FlaskClient.set_cookie` no longer accepts a leading
`server_name` positional parameter; when
`test_session_cookie_invalidated_after_logout`
executes, the three-positional-argument call at `security/api_tests.py:432`
raises a
`TypeError` before the request to `api/v1/dashboard/` is made, so the test
errors out
instead of validating whether the session cookie is invalidated after logout.
```
</details>
[Fix in
Cursor](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt=This%20is%20a%20comment%20left%20during%20a%20code%20review.%0A%0A%2A%2APath%3A%2A%2A%20tests%2Fintegration_tests%2Fsecurity%2Fapi_tests.py%0A%2A%2ALine%3A%2A%2A%20432%3A432%0A%2A%2AComment%3A%2A%2A%0A%09%2AApi%20Mismatch%3A%20%60set_cookie%60%20is%20called%20with%20the%20old%20positional%20signature%20%28%60server_name%2C%20key%2C%20value%60%29%2C%20but%20this%20test%20suite%20already%20uses%20the%20newer%20Flask%2FWerkzeug%20client%20signature%20%28%60key%2C%20value%60%2C%20optional%20%60domain%3D%60%20kwarg%29.%20In%20current%20environments%20this%20raises%20a%20%60TypeError%60%20and%20the%20regression%20test%20fails%20before%20validating%20logout%20behavior.%20Update%20this%20call%20to%20the%20supported%20argument%20contract.%0A%0AValidate%20the%20correctness%20of%20the%20flagged%20issue.%20If%20correct%2C%20How%20can%20I%20resolve%20this%3F%20If%20you%20propose%20a%20fix%2C%20implement%20it%20and%20please%20
make%20it%20concise.%0AOnce%20fix%20is%20implemented%2C%20also%20check%20other%20comments%20on%20the%20same%20PR%2C%20and%20ask%20user%20if%20the%20user%20wants%20to%20fix%20the%20rest%20of%20the%20comments%20as%20well.%20if%20said%20yes%2C%20then%20fetch%20all%20the%20comments%20validate%20the%20correctness%20and%20implement%20a%20minimal%20fix%0A)
| [Fix in VSCode
Claude](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt=This%20is%20a%20comment%20left%20during%20a%20code%20review.%0A%0A%2A%2APath%3A%2A%2A%20tests%2Fintegration_tests%2Fsecurity%2Fapi_tests.py%0A%2A%2ALine%3A%2A%2A%20432%3A432%0A%2A%2AComment%3A%2A%2A%0A%09%2AApi%20Mismatch%3A%20%60set_cookie%60%20is%20called%20with%20the%20old%20positional%20signature%20%28%60server_name%2C%20key%2C%20value%60%29%2C%20but%20this%20test%20suite%20already%20uses%20the%20newer%20Flask%2FWerkzeug%20client%20signature%20%28%60key%2C%20value%60%2C%20optional%20%60domain%3D%60%20kwarg%29.%20In%20current%20environments%20this%20r
aises%20a%20%60TypeError%60%20and%20the%20regression%20test%20fails%20before%20validating%20logout%20behavior.%20Update%20this%20call%20to%20the%20supported%20argument%20contract.%0A%0AValidate%20the%20correctness%20of%20the%20flagged%20issue.%20If%20correct%2C%20How%20can%20I%20resolve%20this%3F%20If%20you%20propose%20a%20fix%2C%20implement%20it%20and%20please%20make%20it%20concise.%0AOnce%20fix%20is%20implemented%2C%20also%20check%20other%20comments%20on%20the%20same%20PR%2C%20and%20ask%20user%20if%20the%20user%20wants%20to%20fix%20the%20rest%20of%20the%20comments%20as%20well.%20if%20said%20yes%2C%20then%20fetch%20all%20the%20comments%20validate%20the%20correctness%20and%20implement%20a%20minimal%20fix%0A)
*(Use Cmd/Ctrl + Click for best experience)*
<details>
<summary><b>Prompt for AI Agent 🤖 </b></summary>
```mdx
This is a comment left during a code review.
**Path:** tests/integration_tests/security/api_tests.py
**Line:** 432:432
**Comment:**
*Api Mismatch: `set_cookie` is called with the old positional signature
(`server_name, key, value`), but this test suite already uses the newer
Flask/Werkzeug client signature (`key, value`, optional `domain=` kwarg). In
current environments this raises a `TypeError` and the regression test fails
before validating logout behavior. Update this call to the supported argument
contract.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask
user if the user wants to fix the rest of the comments as well. if said yes,
then fetch all the comments validate the correctness and implement a minimal fix
```
</details>
<a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40201&comment_hash=e1b970870c5ade3ed540f759eb6b3a17552b89e721ee72ecc9949f5d507ee6c2&reaction=like'>👍</a>
| <a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40201&comment_hash=e1b970870c5ade3ed540f759eb6b3a17552b89e721ee72ecc9949f5d507ee6c2&reaction=dislike'>👎</a>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
