rusackas opened a new pull request, #40699: URL: https://github.com/apache/superset/pull/40699
### SUMMARY Implements **Part A3** of the session/token-lifecycle SIP (#40674): **granular, per-embedded-dashboard guest-token revocation**. Guest tokens are self-contained JWTs with no revocation — when an embed's access should be cut off, you previously had to wait out the token `exp` or rotate the global `GUEST_TOKEN_JWT_SECRET` (which nukes *every* embed). This adds a per-dashboard revoke. **How it works** - `embedded_dashboards.guest_token_revoked_before` (new column + migration) records the revocation instant for one embedded dashboard. - `get_guest_user_from_request` rejects a guest token whose `iat` predates the `guest_token_revoked_before` of any dashboard resource it references (UTC-safe comparison). Tokens issued *after* the revoke, and dashboards that were never revoked (NULL), are unaffected — so it's backwards compatible by default. - `POST /api/v1/dashboard/<id_or_slug>/embedded/revoke` (gated by the existing `can_set_embedded` permission) stamps the timestamp via `EmbeddedDashboardDAO.revoke_guest_tokens`. Guest tokens already carry `iat`, so there's **no token-format change**. This complements the global revocation primitive (break-glass-all vs. revoke-one-embed). Closes part of #40674 (A3). ### TESTING INSTRUCTIONS ```bash pytest tests/integration_tests/security/guest_token_revocation_tests.py ``` **Validated end-to-end against a local Docker stack:** - Token valid → revoke the dashboard → same token **rejected** → a newly-issued token **valid**. - Revoking one dashboard does **not** affect tokens for another. - `POST .../embedded/revoke` returns **200** and stamps the column. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [x] Includes DB Migration - [x] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
