rusackas opened a new pull request, #40695: URL: https://github.com/apache/superset/pull/40695
### SUMMARY Implements **Part A2** of the session/token-lifecycle SIP (#40674) as a self-contained, tested change: a backend-agnostic **per-user session-invalidation epoch** that terminates a disabled account's outstanding sessions on their next request. Previously, disabling a user only audit-logged; access lingered until a passive check, and for client-side cookie sessions there was no server-side session to delete at all. **How it works** - `UserAttribute.sessions_invalidated_at` (new column + migration) records the invalidation epoch. - `on_user_login` stamps `session["_login_at"]`. - A `before_request` hook forces logout of any session whose login predates the user's epoch, then lets the request continue as anonymous so each route responds correctly for its type (**401** for the REST API, **redirect-to-login** for HTML views) — no route-kind branching needed. Fails **open** on any error (never locks everyone out on a bug). - A SQLAlchemy `after_update` listener stamps the epoch when `active` flips to `False`, so it fires regardless of the disable path (**admin UI, REST API, or CLI**) and for **both** client-side cookie and server-side session backends. Deleted users are already rejected by Flask-Login's loader, so deletion needs no epoch. **Backwards compatible by default**: inert for users that were never disabled (NULL epoch). The naive-UTC column comparison is handled explicitly. Closes part of #40674 (A2). A1/A3/Part B remain in the SIP. ### TESTING INSTRUCTIONS ```bash pytest tests/unit_tests/security/test_session_invalidation.py pytest tests/integration_tests/security/session_invalidation_tests.py ``` **Validated end-to-end against a local Docker stack:** - Migration applies cleanly to Postgres. - Disabling a user via the ORM fires the event and stamps the epoch (incl. the INSERT-upsert path for users with no attribute row). - Full HTTP flow: login → `/api/v1/me/` returns **200** → admin disables the user → same session → `/api/v1/me/` returns **401**. Unit tests cover the epoch comparison incl. the UTC/naive-datetime correctness; the integration test covers the login → disable → forced-logout flow and the "active user is unaffected" case. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [x] Includes DB Migration - [x] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
