rusackas opened a new pull request, #40669: URL: https://github.com/apache/superset/pull/40669
> **Draft / `hold:testing`** — adds behavior-sensitive request middleware on the auth path and a DB migration. Off by default; needs end-to-end validation before merge (see "Why draft"). ### SUMMARY Implements an opt-in **force-password-change-on-first-use** lifecycle (FINDING-016 / ASVS 6.4.1, CWE-262), for accounts an administrator provisions: - **Per-user flag** `password_must_change` on the `UserAttribute` table (Superset's own per-user table — no change to FAB's `ab_user`), with Alembic migration `b7c9d1e2f3a4` (default `False`, `server_default false`). - **`superset/security/password_change.py`** — helpers to set / clear / query the flag, plus a `before_request` hook that (when `ENABLE_FORCE_PASSWORD_CHANGE` is on) redirects flagged users to the password-reset page. The hook **exempts** auth / password-reset / user-info / static / health endpoints to prevent a redirect loop, and is a **no-op with zero per-request overhead when disabled (the default)**. - **`SupersetSecurityManager.reset_password`** override clears the flag on a successful reset — covering both the self-service reset and the admin "Reset Password" action, which both route through `reset_password`. - New config **`ENABLE_FORCE_PASSWORD_CHANGE`** (default `False`). ### WHY DRAFT (`hold:testing`) - The `before_request` redirect runs on the auth path; if the exemption list doesn't match the real FAB endpoint names, it could loop. The list is defensive (matches `auth`/`login`/`logout`/`resetmypassword`/`userinfoedit`/`static`/`health` substrings, and treats unknown/`None` endpoints as exempt), but needs validation against a running instance. - Needs confirmation that the self-service + admin reset flows clear the flag end-to-end. - **Out of scope (follow-up):** wiring the flag to admin account-creation and secure-random initial-password generation. This PR provides the mechanism + the `set_password_must_change()` hook for those flows to call. ### TESTING INSTRUCTIONS ``` pytest tests/unit_tests/security/test_password_change.py ``` Unit tests cover the endpoint-exemption logic (redirect-loop prevention) and the flag query helper. **Before merge:** flag a user, log in, confirm the redirect to reset, change the password, confirm the flag clears and normal access resumes. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [x] Includes DB Migration (adds `user_attribute.password_must_change`; atomic, reversible) - [x] Introduces new feature or API (opt-in; default off) - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
