codeant-ai-for-open-source[bot] commented on code in PR #40309:
URL: https://github.com/apache/superset/pull/40309#discussion_r3285612563
##########
superset/mcp_service/jwt_verifier.py:
##########
@@ -61,21 +62,47 @@
"_jwt_failure_reason", default=None
)
+_MCP_BROWSER_HELLO_HTML: str = (
+ _resource_files("superset.mcp_service")
+ .joinpath("hello.html")
+ .read_text(encoding="utf-8")
+)
Review Comment:
**Suggestion:** Loading `hello.html` at module import time is brittle: if
the resource is missing/unreadable in a packaged deployment, importing this
module raises immediately and auth-provider construction fails. In
`create_default_mcp_auth_factory`, that exception path returns `None`, which
can leave MCP running without the intended auth provider. Load the file lazily
inside the handler (or guard with a fallback) so auth initialization cannot
fail due to a missing static template. [security]
<details>
<summary><b>Severity Level:</b> Critical 🚨</summary>
```mdx
- ❌ MCP server starts without JWT auth despite MCP_AUTH_ENABLED.
- ❌ Authentication silently disabled when hello.html resource missing or
unreadable.
```
</details>
<details>
<summary><b>Steps of Reproduction ✅ </b></summary>
```mdx
1. Configure Superset MCP with JWT auth enabled so the default MCP auth
factory is used:
set `MCP_AUTH_ENABLED=True` and provide JWT settings referenced in
`create_default_mcp_auth_factory()` at
`superset/mcp_service/mcp_config.py:17-47` (e.g.
`MCP_JWKS_URI` or `MCP_JWT_PUBLIC_KEY`).
2. Deploy a build where the `hello.html` template is missing or unreadable
from the
`superset.mcp_service` package (the HTML is loaded via
`_resource_files("superset.mcp_service").joinpath("hello.html").read_text(...)`
at
`superset/mcp_service/jwt_verifier.py:65-69`).
3. Start the MCP server with default auth configuration (`superset
run-mcp-server`), which
calls `_create_auth_provider(flask_app)` at
`superset/mcp_service/server.py:672-744`. When
`_create_auth_provider()` reaches
`create_default_mcp_auth_factory(flask_app)` at
`server.py:35-37`, `create_default_mcp_auth_factory()` imports
`MCPJWTVerifier` /
`DetailedJWTVerifier` inside a `try` block at
`superset/mcp_service/mcp_config.py:30-60`.
4. During that import, module initialization of
`superset.mcp_service.jwt_verifier`
executes `_MCP_BROWSER_HELLO_HTML` at `jwt_verifier.py:65-69`, and the
missing/unreadable
`hello.html` causes an exception (e.g. `FileNotFoundError`). This bubbles
into the `from
superset.mcp_service.jwt_verifier import MCPJWTVerifier` line, is caught by
the broad
`except Exception` at `mcp_config.py:63-67`, which logs `"Failed to create
MCP auth
provider"` and returns `None`. `_create_auth_provider()` then receives
`auth_provider=None` at `server.py:35-40` and passes `auth=None` into
`init_fastmcp_server()` at `superset/mcp_service/app.py:9-20,63-66`, where
`auth` is only
applied if non-None (`if auth is not None: mcp.auth = auth`). As a result,
the MCP server
starts without any auth configured despite `MCP_AUTH_ENABLED=True`.
```
</details>
[Fix in
Cursor](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt_id=78e181918e20484ba22b651b0347b6f3&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
| [Fix in VSCode
Claude](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt_id=78e181918e20484ba22b651b0347b6f3&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
*(Use Cmd/Ctrl + Click for best experience)*
<details>
<summary><b>Prompt for AI Agent 🤖 </b></summary>
```mdx
This is a comment left during a code review.
**Path:** superset/mcp_service/jwt_verifier.py
**Line:** 65:69
**Comment:**
*Security: Loading `hello.html` at module import time is brittle: if
the resource is missing/unreadable in a packaged deployment, importing this
module raises immediately and auth-provider construction fails. In
`create_default_mcp_auth_factory`, that exception path returns `None`, which
can leave MCP running without the intended auth provider. Load the file lazily
inside the handler (or guard with a fallback) so auth initialization cannot
fail due to a missing static template.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask
user if the user wants to fix the rest of the comments as well. if said yes,
then fetch all the comments validate the correctness and implement a minimal fix
```
</details>
<a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40309&comment_hash=55c925938da72a83175ea9a44df4318a5120580494721c5df7e3ab742ac052db&reaction=like'>👍</a>
| <a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40309&comment_hash=55c925938da72a83175ea9a44df4318a5120580494721c5df7e3ab742ac052db&reaction=dislike'>👎</a>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
