codeant-ai-for-open-source[bot] commented on code in PR #40638:
URL: https://github.com/apache/superset/pull/40638#discussion_r3337848480
##########
superset/async_events/async_query_manager.py:
##########
@@ -178,8 +183,13 @@ def validate_session(response: Response) -> Response:
session["async_user_id"] = user_id
sub = str(user_id) if user_id else None
+ now = datetime.now(tz=timezone.utc)
token = jwt.encode(
- {"channel": async_channel_id, "sub": sub},
+ {
+ "channel": async_channel_id,
+ "sub": sub,
+ "exp": now +
timedelta(seconds=self._jwt_expiration_seconds),
+ },
self._jwt_secret,
algorithm="HS256",
)
Review Comment:
**Suggestion:** Adding an `exp` claim without updating token-rotation logic
causes expired cookies to get stuck: `validate_session` only checks cookie
presence/session keys, so once the JWT expires it keeps being sent, decode
fails with 401, and no new token is issued. Update the reset condition to treat
expired/invalid JWTs as `reset_token=True` (or set cookie `max_age`/`expires`
to match JWT lifetime) so clients can recover automatically after expiry.
[logic error]
<details>
<summary><b>Severity Level:</b> Critical 🚨</summary>
```mdx
- ❌ Async explore JSON flow fails after JWT expiry.
- ❌ Async events API returns 401 indefinitely post-expiration.
- ⚠️ Users must manually refresh session to recover.
- ⚠️ Long-lived dashboards break for GLOBAL_ASYNC_QUERIES users.
```
</details>
<details>
<summary><b>Steps of Reproduction ✅ </b></summary>
```mdx
1. Start Superset with GLOBAL_ASYNC_QUERIES enabled and default config,
which registers
the `AsyncQueryManager.init_app` request handlers
(`superset/async_events/async_query_manager.py:121-168`,
`superset/config.py:2320-2331`).
2. Log in and hit any standard page (for example, explore) so the
`validate_session`
after-request handler runs and issues an async JWT with an `exp` claim and
stores
`session["async_channel_id"]` and `session["async_user_id"]`
(`async_query_manager.py:168-185` plus the token issuance at lines 186-195).
3. Leave the browser tab open until after
`GLOBAL_ASYNC_QUERIES_JWT_EXPIRATION_SECONDS`
has elapsed (default 3600 seconds per `superset/config.py:2329-2331`), so
the JWT in the
`GLOBAL_ASYNC_QUERIES_JWT_COOKIE_NAME` cookie is now expired but still
present; the
session keys remain unchanged.
4. Trigger an async query path, e.g. load chart data via the async explore
flow where
`async_query_manager.parse_channel_id_from_request(request)` is called in
`superset/views/core.py:367-372`, or via the async events API at
`superset/async_events/api.py:92-20`, or the async chart job command at
`superset/commands/chart/data/create_async_job_command.py:7-14`;
`parse_channel_id_from_request` (`async_query_manager.py:208-217`) calls
`jwt.decode(...)`
which raises due to the expired `exp`, causing `AsyncQueryTokenException`
and a 401/"Not
authorized" response, while `validate_session` on the same request sees a
non-empty cookie
and intact `session["async_channel_id"]`/`session["async_user_id"]`
(`async_query_manager.py:173-177`), so `reset_token` is False and no new JWT
is issued,
leaving subsequent requests stuck in the same 401 loop until the user
manually clears
cookies or session.
```
</details>
[Fix in
Cursor](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt_id=829f83dc35b34099836884f3f1fd2675&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
| [Fix in VSCode
Claude](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt_id=829f83dc35b34099836884f3f1fd2675&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
*(Use Cmd/Ctrl + Click for best experience)*
<details>
<summary><b>Prompt for AI Agent 🤖 </b></summary>
```mdx
This is a comment left during a code review.
**Path:** superset/async_events/async_query_manager.py
**Line:** 186:195
**Comment:**
*Logic Error: Adding an `exp` claim without updating token-rotation
logic causes expired cookies to get stuck: `validate_session` only checks
cookie presence/session keys, so once the JWT expires it keeps being sent,
decode fails with 401, and no new token is issued. Update the reset condition
to treat expired/invalid JWTs as `reset_token=True` (or set cookie
`max_age`/`expires` to match JWT lifetime) so clients can recover automatically
after expiry.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask
user if the user wants to fix the rest of the comments as well. if said yes,
then fetch all the comments validate the correctness and implement a minimal fix
```
</details>
<a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40638&comment_hash=11a81a71023a96c482b5add15b48885d6e4207d05f352904340c944d1fb6fe5f&reaction=like'>👍</a>
| <a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40638&comment_hash=11a81a71023a96c482b5add15b48885d6e4207d05f352904340c944d1fb6fe5f&reaction=dislike'>👎</a>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
