rusackas opened a new pull request, #40676: URL: https://github.com/apache/superset/pull/40676
> **Draft / `hold:testing`** — adds a DB migration and a per-request check on the guest-token path. Needs validation under embedded load before merge. ### SUMMARY Guest tokens (embedded dashboards) are self-contained JWTs validated only for signature, `exp`, and `aud` — there is **no revocation**. When an admin revokes a guest's access, existing tokens remain valid until expiry (ASVS 7.4.1, CWE-613). This implements the SIP's **Part A3**: - Adds `guest_token_revoked_before` (epoch seconds) to `embedded_dashboards` (migration `c8d2e3f4a5b6`). - `get_guest_user_from_request` now rejects any guest token whose `iat` predates the revocation cutoff of one of its embedded-dashboard resources. - `SecurityManager.revoke_guest_token_access(embedded_uuid)` sets the cutoff to now — revoking all currently-issued tokens for that dashboard while leaving later-issued ones valid. Guest tokens already carry `iat`, so no token-format change is required. Default behavior is unchanged (`NULL` cutoff ⇒ no revocation). ### WHY DRAFT (`hold:testing`) Wiring `revoke_guest_token_access` into an admin UI / REST action is a follow-up (this PR provides the mechanism). The revocation check adds a DAO lookup per guest request — needs validation under embedded load. ### TESTING INSTRUCTIONS ``` pytest tests/unit_tests/security/test_guest_token_revocation.py ``` Tests: token issued before the cutoff is rejected; token issued after is still valid; no cutoff ⇒ valid; missing `iat` ⇒ not revoked. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: EMBEDDED_SUPERSET - [ ] Changes UI - [x] Includes DB Migration (adds `embedded_dashboards.guest_token_revoked_before`; reversible) - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
