rusackas opened a new pull request, #41296: URL: https://github.com/apache/superset/pull/41296
### SUMMARY `DetailedJWTVerifier.load_access_token` rejected the `none` algorithm and otherwise compared the token's `alg` against `self.algorithm` — but only inside an `if self.algorithm` guard. The pinned value is currently always populated because the upstream `JWTVerifier` defaults `algorithm` to `RS256`, so the verifier was effectively relying on that upstream default to keep the algorithm pinned. This makes the pinning explicit and self-contained: if no algorithm is pinned, the verifier now rejects the token (fail closed) rather than validating against whatever algorithm family the key/library would otherwise permit. It removes the implicit dependency on the upstream default. This is a small defense-in-depth change — under current behavior `self.algorithm` is always set — so there is no functional change for normally constructed verifiers. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF N/A — backend verification behavior. ### TESTING INSTRUCTIONS Unit test added in `tests/unit_tests/mcp_service/test_jwt_verifier.py` (`test_unpinned_algorithm_is_rejected`): an unpinned verifier rejects a signed token with reason `"No signing algorithm pinned"`. Run: `pytest tests/unit_tests/mcp_service/test_jwt_verifier.py` ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [ ] Migration is atomic, supports rollback & is backwards-compatible - [ ] Confirm DB migration upgrade and downgrade tested - [ ] Runtime estimates and downtime expectations provided - [ ] Introduces new feature or API - [ ] Removes existing feature or API -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
