Re: [PR] feat(mcp): log successful JWT authentication events [superset]

Mon, 08 Jun 2026 10:58:05 -0700 


rusackas commented on code in PR #40864:
URL: https://github.com/apache/superset/pull/40864#discussion_r3375310991


##########
superset/mcp_service/jwt_verifier.py:
##########
@@ -273,7 +273,13 @@ async def load_access_token(self, token: str) -> 
AccessToken | None:  # noqa: C9
                     )
                     return None
 
-            # All validations passed
+            # All validations passed -- record a success entry so that
+            # successful access leaves an audit trail, not just failures.
+            logger.info(
+                "JWT authentication succeeded for client '%s' (scopes=%s)",
+                client_id,
+                sorted(scopes),
+            )

Review Comment:
   Good catch — fixed in 57894ab. The success audit log now coerces scope 
entries to strings before sorting (`sorted(str(scope) for scope in scopes)`), 
so a malformed/non-orderable scope claim can no longer raise `TypeError` inside 
the log statement and mask an otherwise-valid token as a generic "Token 
validation failed". Added `test_success_log_tolerates_non_orderable_scopes` to 
lock it in.



##########
superset/mcp_service/jwt_verifier.py:
##########
@@ -273,7 +273,13 @@ async def load_access_token(self, token: str) -> 
AccessToken | None:  # noqa: C9
                     )
                     return None
 
-            # All validations passed
+            # All validations passed -- record a success entry so that
+            # successful access leaves an audit trail, not just failures.
+            logger.info(
+                "JWT authentication succeeded for client '%s' (scopes=%s)",
+                client_id,
+                sorted(scopes),
+            )

Review Comment:
   Good catch — fixed in 57894ab. The success audit log now coerces scope 
entries to strings before sorting (sorted(str(scope) for scope in scopes)), so 
a malformed/non-orderable scope claim can no longer raise TypeError inside the 
log statement and mask an otherwise-valid token as a generic "Token validation 
failed". Added test_success_log_tolerates_non_orderable_scopes to lock it in.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to