rusackas opened a new pull request, #40869: URL: https://github.com/apache/superset/pull/40869
### SUMMARY In `DetailedJWTVerifier.load_access_token()`, the step that fetches the verification key only caught `ValueError`. When a deployment uses JWKS, that key is fetched over the network (httpx), so a connection/timeout/DNS error would raise an exception type the function didn't handle — it propagated out as an unexpected error rather than being treated as a (transient) verification failure. This catches `httpx.HTTPError`, `OSError` and `TimeoutError` from the key fetch explicitly: it records a generic failure reason, logs a `warning`, and returns `None` so the request is handled as a normal authentication failure. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF N/A — backend error handling. ### TESTING INSTRUCTIONS ``` pytest tests/unit_tests/mcp_service/test_jwt_verifier.py ``` A new test patches the key fetch to raise `httpx.ConnectError` and asserts the call returns `None` with a generic failure reason instead of propagating. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
