Copilot commented on code in PR #40864:
URL: https://github.com/apache/superset/pull/40864#discussion_r3375255937
##########
superset/mcp_service/jwt_verifier.py:
##########
@@ -273,7 +273,13 @@ async def load_access_token(self, token: str) ->
AccessToken | None: # noqa: C9
)
return None
- # All validations passed
+ # All validations passed -- record a success entry so that
+ # successful access leaves an audit trail, not just failures.
+ logger.info(
+ "JWT authentication succeeded for client '%s' (scopes=%s)",
+ client_id,
+ sorted(scopes),
+ )
Review Comment:
This new INFO log includes `client_id` (which can fall back to the JWT
`sub`) and the extracted `scopes`. That contradicts this module/class’s
documented logging tiers (detailed claim-derived values only at DEBUG) and can
leak identifiers into production INFO logs. Consider keeping the INFO audit
entry generic and emitting the client/scopes details at DEBUG instead (or
update the documented tiers and explicitly accept the exposure).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
