rusackas commented on code in PR #40638:
URL: https://github.com/apache/superset/pull/40638#discussion_r3338278018
##########
superset/async_events/async_query_manager.py:
##########
@@ -178,8 +183,13 @@ def validate_session(response: Response) -> Response:
session["async_user_id"] = user_id
sub = str(user_id) if user_id else None
+ now = datetime.now(tz=timezone.utc)
token = jwt.encode(
- {"channel": async_channel_id, "sub": sub},
+ {
+ "channel": async_channel_id,
+ "sub": sub,
+ "exp": now +
timedelta(seconds=self._jwt_expiration_seconds),
+ },
self._jwt_secret,
algorithm="HS256",
)
Review Comment:
The cookie rotation concern is addressed: the PR sets
max_age=self._jwt_expiration_seconds on the cookie alongside the JWT exp claim.
The browser will drop the cookie at the same time the JWT expires, so no
stuck/invalid cookie scenario occurs — the next request generates a fresh
cookie and JWT.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
