fgomezotero opened a new issue, #40714:
URL: https://github.com/apache/superset/issues/40714
### Bug description
### Bug description
When `GLOBAL_ASYNC_QUERIES` is enabled and an anonymous user
(unauthenticated, accessing dashboards via `PUBLIC_ROLE_LIKE`) opens a
dashboard, all charts fail with HTTP 401 and the frontend redirects to the
login page.
### Root cause
The `AsyncQueryManager` registers an `after_request` handler that generates
a JWT cookie for async event polling. For anonymous users, `user_id` is `None`,
and the code generates the token as follows:
```python
sub = str(user_id) if user_id else None
token = jwt.encode({"channel": async_channel_id, "sub": sub}, ...)
```
This encodes "sub": None in the JWT payload. When decoding in
parse_channel_id_from_request, PyJWT >= 2.4 validates that if the sub claim is
present, it must be a string, and raises:
`jwt.exceptions.InvalidSubjectError: Subject must be a string`
This causes the /api/v1/chart/data endpoint to return 401, and the frontend
interprets the response as an invalid session, redirecting to login.
### Error flow
1. Anonymous user accesses /superset/dashboard/<id>/
2. after_request generates JWT cookie with {"channel": "...", "sub": null}
3. Frontend POSTs to /api/v1/chart/data (includes JWT cookie)
4. Backend attempts to decode JWT → InvalidSubjectError
5. Endpoint responds with 401
6. Frontend redirects to /login
### How to reproduce the bug
Enable GLOBAL_ASYNC_QUERIES: True in feature flags
Set PUBLIC_ROLE_LIKE = "Gamma" to allow anonymous dashboard access
Grant the Public role access to a dashboard and its datasets
Open the dashboard in a browser without authenticating
All charts show errors and the page redirects to login
### Stacktrace
``` bash
Traceback (most recent call last):
File "/app/superset/async_events/async_query_manager.py", line 204, in
parse_channel_id_from_request
return jwt.decode(token, self._jwt_secret,
algorithms=["HS256"])["channel"]
File "/app/.venv/lib/python3.10/site-packages/jwt/api_jwt.py", line 222,
in decode
decoded = self.decode_complete(
File "/app/.venv/lib/python3.10/site-packages/jwt/api_jwt.py", line 167,
in decode_complete
self._validate_claims(
File "/app/.venv/lib/python3.10/site-packages/jwt/api_jwt.py", line 273,
in _validate_claims
self._validate_sub(payload, subject)
File "/app/.venv/lib/python3.10/site-packages/jwt/api_jwt.py", line 300,
in _validate_sub
raise InvalidSubjectError("Subject must be a string")
jwt.exceptions.InvalidSubjectError: Subject must be a string
```
### Screenshots/recordings
_No response_
### Superset version
6.0.0
### Python version
3.10
### Node version
16
### Browser
Chrome
### Additional context
_No response_
### Checklist
- [ ] I have searched Superset docs and Slack and didn't find a solution to
my problem.
- [ ] I have searched the GitHub issue tracker and didn't find a similar bug
report.
- [ ] I have checked Superset's logs for errors and if I found a relevant
Python stacktrace, I included it here as text in the "additional context"
section.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
