Re: [PR] fix: reject default guest/async JWT secrets at startup [superset]

Wed, 03 Jun 2026 02:36:43 -0700 


rusackas commented on code in PR #40649:
URL: https://github.com/apache/superset/pull/40649#discussion_r3347404814


##########
superset/initialization/__init__.py:
##########
@@ -691,6 +695,32 @@ def check_guest_token_secret(self) -> None:
         )
         sys.exit(1)
 
+    def check_async_query_secret(self) -> None:
+        """Refuse to start with the default async JWT secret when GAQ is 
enabled."""
+        if not feature_flag_manager.is_feature_enabled("GLOBAL_ASYNC_QUERIES"):
+            return
+        if (
+            self.config.get("GLOBAL_ASYNC_QUERIES_JWT_SECRET")
+            != CHANGE_ME_GLOBAL_ASYNC_QUERIES_JWT_SECRET
+        ):
+            return
+        self._log_config_warning(
+            "GLOBAL_ASYNC_QUERIES is enabled but 
GLOBAL_ASYNC_QUERIES_JWT_SECRET "
+            "has not been changed from its default value.\n"
+            "The default value is publicly known and must be replaced before "
+            "running in production.\n"
+            "Set a strong random value (at least 32 bytes) in 
superset_config.py:\n"
+            "  GLOBAL_ASYNC_QUERIES_JWT_SECRET = "
+            "'<output of: openssl rand -base64 42>'"
+        )
+        if self.superset_app.debug or self.superset_app.config["TESTING"] or 
is_test():
+            return

Review Comment:
   Good catch — re-examining this, my earlier replies were wrong. With 
GLOBAL_ASYNC_QUERIES enabled and the default secret in debug/testing, the 
warn-only early return in check_async_query_secret() did still let the default 
(21-byte) secret reach configure_async_queries(), where 
AsyncQueryManager.init_app()'s `len(...) < 32` check raises and crashes startup 
— defeating the warn-only intent. Fixed in 0a9aca6315: 
configure_async_queries() now skips async-query init when the secret is still 
the default, so the warn-only behavior actually holds in debug/testing while 
production still hard-aborts in check_async_query_secret(). Added unit tests 
covering both the skip and the normal-init paths.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to