Copilot commented on code in PR #40651:
URL: https://github.com/apache/superset/pull/40651#discussion_r3338428073
##########
tests/unit_tests/async_events/async_query_manager_tests.py:
##########
@@ -78,6 +79,68 @@ def
test_parse_channel_id_from_request_bad_jwt(async_query_manager):
async_query_manager.parse_channel_id_from_request(request)
+def test_generate_jwt_sets_expiration(async_query_manager):
+ """Generated tokens carry iat/exp and round-trip through parsing."""
+ import jwt
+
+ token = async_query_manager.generate_jwt({"channel": "abc", "sub": "1"})
+ claims = jwt.decode(token, JWT_TOKEN_SECRET, algorithms=["HS256"])
+
+ assert claims["channel"] == "abc"
+ assert "exp" in claims
+ assert "iat" in claims
+ assert claims["exp"] > claims["iat"]
+ assert (
+ async_query_manager.parse_channel_id_from_request(
+ Mock(cookies={"superset_async_jwt": token})
+ )
+ == "abc"
+ )
+
+
+def test_parse_channel_id_rejects_expired_token(async_query_manager):
+ """An expired token is rejected (PyJWT validates exp on decode)."""
+ past = datetime.now(tz=timezone.utc) - timedelta(hours=2)
+ expired = encode(
+ {
+ "channel": "abc",
+ "iat": past,
+ "exp": past + timedelta(hours=1),
+ },
+ JWT_TOKEN_SECRET,
+ algorithm="HS256",
+ )
+
+ with raises(AsyncQueryTokenException):
+ async_query_manager.parse_channel_id_from_request(
+ Mock(cookies={"superset_async_jwt": expired})
+ )
+
+
+def test_jwt_needs_refresh(async_query_manager):
+ """Refresh missing/legacy/expired/near-expiry tokens; keep fresh ones."""
+ now = datetime.now(tz=timezone.utc)
+
+ # Missing token
+ assert async_query_manager._jwt_needs_refresh(None) is True
+
+ # Legacy token without exp
+ legacy = encode({"channel": "abc"}, JWT_TOKEN_SECRET, algorithm="HS256")
+ assert async_query_manager._jwt_needs_refresh(legacy) is True
+
+ # Fresh token (full lifetime remaining) is not refreshed
+ fresh = async_query_manager.generate_jwt({"channel": "abc"})
+ assert async_query_manager._jwt_needs_refresh(fresh) is False
+
+ # Token in the second half of its lifetime is refreshed
+ near_expiry = encode(
+ {"channel": "abc", "iat": now, "exp": now + timedelta(minutes=10)},
+ JWT_TOKEN_SECRET,
+ algorithm="HS256",
+ )
+ assert async_query_manager._jwt_needs_refresh(near_expiry) is True
Review Comment:
`test_jwt_needs_refresh` claims it covers expired tokens, but it only
asserts missing/legacy/fresh/near-expiry. Since `_jwt_needs_refresh` is a key
part of the sliding-refresh behavior, add an explicit expired-token assertion
so regressions (e.g. catching the wrong exception type) are detected.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
