codeant-ai-for-open-source[bot] commented on code in PR #40777:
URL: https://github.com/apache/superset/pull/40777#discussion_r3358309562
##########
superset-frontend/src/theme/ThemeController.ts:
##########
@@ -1015,32 +1030,81 @@ export class ThemeController {
*/
private async fetchSystemDefaultTheme(): Promise<AnyThemeConfig | null> {
try {
- // Try to fetch theme marked as system default (is_system_default=true)
- const defaultResponse = await fetch(
-
'/api/v1/theme/?q=(filters:!((col:is_system_default,opr:eq,value:!t)))',
- );
- if (defaultResponse.ok) {
- const data = await defaultResponse.json();
- if (data.result?.length > 0) {
- const themeConfig = JSON.parse(data.result[0].json_data);
+ // Try to use SupersetClient first if it has been configured
+ try {
+ const response = await SupersetClient.get({
+ endpoint:
+
'/api/v1/theme/?q=(filters:!((col:is_system_default,opr:eq,value:!t)))',
+ });
+ if (response.json?.result?.length > 0) {
+ const themeConfig = JSON.parse(response.json.result[0].json_data);
if (themeConfig && typeof themeConfig === 'object') {
return themeConfig;
}
}
+ } catch (clientError) {
+ // If SupersetClient is not configured yet or request fails, fall back
to native fetch
+ const headers: Record<string, string> = {};
+ try {
+ const guestToken = SupersetClient.getGuestToken();
+ if (guestToken) {
+ headers['X-GuestToken'] = guestToken;
Review Comment:
**Suggestion:** The fallback `fetch` path hardcodes `X-GuestToken`, but
embedded mode supports a configurable guest-token header name
(`GUEST_TOKEN_HEADER_NAME`). In deployments that override this header, the
fallback API requests will be unauthenticated and theme recovery will silently
fail. Read the configured header name (or reuse SupersetClient's configured
request headers) instead of hardcoding the header key. [api mismatch]
<details>
<summary><b>Severity Level:</b> Major ⚠️</summary>
```mdx
- ❌ Embedded dashboards cannot recover themes via authenticated fallback API.
- ⚠️ Theme recovery uses stale or built-in defaults, not server.
- ⚠️ Behavior diverges when GUEST_TOKEN_HEADER_NAME is customized.
```
</details>
<details>
<summary><b>Steps of Reproduction ✅ </b></summary>
```mdx
1. In an embedded deployment, configure a non-default guest token header
name via backend
config so `bootstrapData.config.GUEST_TOKEN_HEADER_NAME` is not
`'X-GuestToken'` (this
value is read and passed into the embedded Superset client in
`superset-frontend/src/embedded/index.tsx:18-23`, where `setupGuestClient`
calls
`setupClient({ appRoot: applicationRoot(), guestToken, guestTokenHeaderName:
bootstrapData.config?.GUEST_TOKEN_HEADER_NAME, ... })`).
2. Load an embedded dashboard so that the embedded app bootstraps using
`EmbeddedContextProviders`
(`superset-frontend/src/embedded/EmbeddedContextProviders.tsx:14-31`), which
creates a
shared `ThemeController` instance and wires it into `SupersetThemeProvider`,
meaning theme
changes and recovery go through `ThemeController`.
3. Trigger a theme application error or an invalid theme configuration so
that
`ThemeController.updateTheme()` throws inside `applyTheme` (see
`superset-frontend/src/theme/ThemeController.ts:23-38` for `updateTheme`,
and `852-25` for
`applyTheme`), causing the `catch` block in `updateTheme` to execute and
call `await
this.fallbackToDefaultMode()` at
`superset-frontend/src/theme/ThemeController.ts:39-48`.
4. In `fallbackToDefaultMode()`
(`superset-frontend/src/theme/ThemeController.ts:56-60`),
the controller calls `fetchSystemDefaultTheme()`, which first tries
`SupersetClient.get(...)` and then falls back to native `fetch` on failure
(`52-91`). In
that fallback, it obtains the guest token via
`SupersetClient.getGuestToken()` at line
`1049` and unconditionally sends it as `headers['X-GuestToken'] =
guestToken;` at line
`1051`, ignoring the configured `guestTokenHeaderName`. In deployments where
`guestTokenHeaderName !== 'X-GuestToken'`, the backend will treat this
request as
unauthenticated, `defaultResponse.ok` will be false,
`fetchSystemDefaultTheme()` returns
`null` (`135`), and `fallbackToDefaultMode()` is forced to skip server theme
recovery and
instead use only the cached/built-in default theme (`600-37`), silently
failing to recover
the correct system theme for embedded dashboards.
```
</details>
[Fix in
Cursor](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt_id=b08aa244ce1b4db1ad77eec8a0e965eb&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
| [Fix in VSCode
Claude](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt_id=b08aa244ce1b4db1ad77eec8a0e965eb&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
*(Use Cmd/Ctrl + Click for best experience)*
<details>
<summary><b>Prompt for AI Agent 🤖 </b></summary>
```mdx
This is a comment left during a code review.
**Path:** superset-frontend/src/theme/ThemeController.ts
**Line:** 1049:1051
**Comment:**
*Api Mismatch: The fallback `fetch` path hardcodes `X-GuestToken`, but
embedded mode supports a configurable guest-token header name
(`GUEST_TOKEN_HEADER_NAME`). In deployments that override this header, the
fallback API requests will be unauthenticated and theme recovery will silently
fail. Read the configured header name (or reuse SupersetClient's configured
request headers) instead of hardcoding the header key.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask
user if the user wants to fix the rest of the comments as well. if said yes,
then fetch all the comments validate the correctness and implement a minimal fix
```
</details>
<a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40777&comment_hash=8dd5b4683349b7289c96eafe55bd7958ca05c5c43e0719625c478c62d6a865d7&reaction=like'>👍</a>
| <a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40777&comment_hash=8dd5b4683349b7289c96eafe55bd7958ca05c5c43e0719625c478c62d6a865d7&reaction=dislike'>👎</a>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
