aminghadersohi opened a new pull request, #40688: URL: https://github.com/apache/superset/pull/40688
## Summary Reverts #40582 (`chore(deps): migrate MCP service JWT errors from authlib.jose to joserfc`). The migration was premature. `fastmcp` through at least version 3.3.1 still uses `authlib` internally — `JWTVerifier.__init__` sets `self.jwt = JsonWebToken([self.algorithm])` from `authlib.jose`. The Superset `DetailedJWTVerifier` inherits this and calls `self.jwt.decode()`, which raises `authlib.jose.errors.*` exceptions. After #40582, the catch blocks in `DetailedJWTVerifier.load_access_token()` were updated to catch `joserfc.errors.*` classes, which have a completely separate class hierarchy (`authlib.jose.errors.JoseError → AuthlibBaseError → Exception` vs `joserfc.errors.JoseError → Exception`). The authlib exceptions are not caught, propagate through Starlette's `AuthenticationMiddleware` (which only catches `AuthenticationError`), and produce **500 Internal Server Error** instead of 401 for every invalid or expired token. The unit tests in #40582 did not catch this because they mock `self.jwt.decode` with `side_effect=joserfc.errors.BadSignatureError()` — the mock raises a joserfc exception that IS caught. The real authlib object raises authlib exceptions. ## Changes - Reverts `superset/mcp_service/jwt_verifier.py`: restores `from authlib.jose.errors import`; restores original import order - Reverts `tests/unit_tests/mcp_service/test_jwt_verifier.py`: restores authlib-compatible constructor calls (`BadSignatureError(result=None)`, `ExpiredTokenError()`) - Reverts `pyproject.toml`: removes `joserfc>=1.0.0,<2.0` from fastmcp extras - Reverts `requirements/development.txt`: removes `joserfc==1.6.8` pin ## When to re-do the migration When a version of `fastmcp` within the `>=3.2.4,<4.0` constraint replaces `authlib.jose.JsonWebToken` with a joserfc-based JWT object internally, the migration can be re-applied. At that point `self.jwt.decode()` will raise joserfc exceptions and the catch blocks will match. 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
