rusackas opened a new pull request, #41965:
URL: https://github.com/apache/superset/pull/41965

   ### SUMMARY
   
   Test-only PR pinning the inconsistency reported in #29934: misspelled (wrong 
trailing-slash) URLs under `/api/v1/security/` are handled inconsistently 
across sibling endpoints.
   
   Three routes live under the same `/api/v1/security/` prefix but are declared 
with different slash conventions:
   
   | Endpoint | Declaration | Wrong-slash request | Status on `master` |
   |---|---|---|---|
   | `login` | `@expose("/login")` (FAB, no trailing slash) | `POST 
/api/v1/security/login/` | **404** |
   | `csrf_token` | `@expose("/csrf_token/")` (trailing slash) | `GET 
/api/v1/security/csrf_token` | **308** redirect |
   | `guest_token` | `@expose("/guest_token/")` (trailing slash) | `POST 
/api/v1/security/guest_token` | **308** redirect |
   
   Because of the mixed conventions, Werkzeug routing treats a "misspelled" URL 
three different ways: one endpoint hard-404s, the others silently redirect to 
the canonical URL. That divergence is exactly the confusion the reporter 
described.
   
   The added test 
(`tests/unit_tests/security/api_test.py::test_security_api_trailing_slash_handled_consistently`)
 asserts the *desired* contract — that a trailing-slash misspelling is handled 
**uniformly** across the sibling security endpoints — without prescribing which 
uniform behavior is correct (all-redirect or all-404), only that they agree. No 
production code is changed.
   
   ### How to interpret CI
   
   This is a **test-only** PR that documents current behavior.
   
   - **Red (test fails) on CI** — expected on `master`: the three endpoints 
return `{404, 308, 308}`, so the consistency assertion fails. This confirms 
#29934 still reproduces.
   - **Green** — the slash conventions have been unified (a real fix landed), 
and the endpoints now agree.
   
   The failing assertion prints the observed statuses, e.g.:
   ```
   AssertionError: Inconsistent handling of misspelled (wrong trailing-slash) 
security URLs:
   {'/api/v1/security/login/': 404, '/api/v1/security/csrf_token': 308, 
'/api/v1/security/guest_token': 308}
   ```
   
   ### TESTING INSTRUCTIONS
   
   ```bash
   pytest 
tests/unit_tests/security/api_test.py::test_security_api_trailing_slash_handled_consistently
 -v
   ```
   
   Runs against a real Superset app (routes registered via 
`SupersetAppInitializer`) on in-memory sqlite — no external services or DB 
required. On `master` it fails (red), demonstrating the reported inconsistency.
   
   ### ADDITIONAL INFORMATION
   
   - [ ] Has associated issue: Closes #29934
   - [x] Test-only change; no production code modified
   
   🤖 Generated with [Claude Code](https://claude.com/claude-code)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to