Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4120341762 **Bito Automatic Review Skipped – PR Already Merged**Bito scheduled an automatic review for this pull request, but the review was skipped because this PR was merged before the review could be run.No action is needed if you didn't intend to review it. To get a review, you can type `/review` in a comment and save it -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
aminghadersohi merged PR #37973: URL: https://github.com/apache/superset/pull/37973 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4119586017 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4117263621 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2980480436
##
superset-frontend/src/features/apiKeys/ApiKeyList.tsx:
##
@@ -0,0 +1,233 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import { useEffect, useRef, useState } from 'react';
+import { SupersetClient } from '@superset-ui/core';
+import { t } from '@apache-superset/core/translation';
+import { css, useTheme } from '@apache-superset/core/theme';
+import {
+ Button,
+ Table,
+ Modal,
+ Tag,
+ Tooltip,
+} from '@superset-ui/core/components';
+import { useToasts } from 'src/components/MessageToasts/withToasts';
+import { ApiKeyCreateModal } from './ApiKeyCreateModal';
+
+export interface ApiKey {
+ uuid: string;
+ name: string;
+ key_prefix: string;
+ active: boolean;
+ created_on: string;
+ expires_on: string | null;
+ revoked_on: string | null;
+ last_used_on: string | null;
+ scopes: string | null;
+}
+
+export function ApiKeyList() {
+ const theme = useTheme();
+ const { addDangerToast, addSuccessToast } = useToasts();
+ const [apiKeys, setApiKeys] = useState([]);
+ const [loading, setLoading] = useState(false);
+ const [showCreateModal, setShowCreateModal] = useState(false);
+ const fetchCounterRef = useRef(0);
+
+ async function fetchApiKeys() {
+fetchCounterRef.current += 1;
+const thisRequest = fetchCounterRef.current;
+setLoading(true);
+try {
+ const response = await SupersetClient.get({
+endpoint: '/api/v1/security/api_keys/',
+ });
+ // Only apply results if this is still the most recent request
+ if (thisRequest === fetchCounterRef.current) {
+setApiKeys(response.json.result || []);
+ }
+} catch (error) {
+ if (thisRequest === fetchCounterRef.current) {
+addDangerToast(t('Failed to fetch API keys'));
+ }
+} finally {
+ if (thisRequest === fetchCounterRef.current) {
+setLoading(false);
+ }
+}
+ }
+
+ useEffect(() => {
+fetchApiKeys();
+// eslint-disable-next-line react-hooks/exhaustive-deps
+ }, []);
+
+ function handleRevokeKey(keyUuid: string) {
+Modal.confirm({
+ title: t('Revoke API Key'),
+ content: t(
+'Are you sure you want to revoke this API key? This action cannot be
undone.',
+ ),
+ okText: t('Revoke'),
+ okType: 'danger',
+ cancelText: t('Cancel'),
+ onOk: async () => {
+try {
+ await SupersetClient.delete({
+endpoint: `/api/v1/security/api_keys/${keyUuid}`,
+ });
+ addSuccessToast(t('API key revoked successfully'));
+ fetchApiKeys();
+} catch (error) {
+ addDangerToast(t('Failed to revoke API key'));
+}
+ },
+});
+ }
+
+ const formatDate = (dateString: string | null) => {
+if (!dateString) return '-';
+return new Date(dateString).toLocaleDateString(undefined, {
+ year: 'numeric',
+ month: 'short',
+ day: 'numeric',
+});
+ };
+
+ const getStatusBadge = (key: ApiKey) => {
+if (key.revoked_on) {
+ return {t('Revoked')};
+}
+if (key.expires_on && new Date(key.expires_on) < new Date()) {
+ return {t('Expired')};
+}
+return {t('Active')};
+ };
Review Comment:
No, the suggestion isn’t fully correct — it checks active status before
revoked, which could incorrectly display 'Inactive' for revoked keys instead of
'Revoked'. The current PR code correctly prioritizes revoked first, then
expired, then active.
**superset-frontend/src/features/apiKeys/ApiKeyList.tsx**
```
const getStatusBadge = (key: ApiKey) => {
if (key.revoked_on) {
return {t('Revoked')};
}
if (key.expires_on && new Date(key.expires_on) < new Date()) {
return {t('Expired')};
}
if (!key.active) {
return {t('Inactive')};
}
return {t('Active')};
};
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973: URL: https://github.com/apache/superset/pull/37973#discussion_r2980476831 ## requirements/base.txt: ## @@ -120,7 +120,7 @@ flask==2.3.3 # flask-session # flask-sqlalchemy # flask-wtf -flask-appbuilder==5.0.2 +flask-appbuilder @ git+https://github.com/aminghadersohi/Flask-AppBuilder@amin/ch99414/api-key-auth Review Comment: The upstream Flask-AppBuilder PR has been merged and released as 5.2.0. The dependency has been updated from the fork to the official release in requirements/base.txt, resolving this. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
aminghadersohi commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2980469552
##
superset/mcp_service/auth.py:
##
@@ -192,6 +209,55 @@ def get_user_from_request() -> User:
if hasattr(g, "user") and g.user:
return g.user
+# Try API key authentication via FAB SecurityManager
+# Only attempt when in a request context (not for MCP internal operations
+# like tool discovery that run with only an application context)
+# Use the Flask config key FAB_API_KEY_ENABLED (not the feature flag),
+# because the config key controls whether FAB registers the API key
+# endpoints and validation logic. The feature flag with the same name
+# in DEFAULT_FEATURE_FLAGS only controls the frontend UI visibility.
+if current_app.config.get("FAB_API_KEY_ENABLED", False) and
has_request_context():
+sm = current_app.appbuilder.sm
+# _extract_api_key_from_request is FAB's internal method for reading
+# the Bearer token from the Authorization header and matching prefixes.
+# Not all FAB versions include this method, so guard with hasattr.
+if not hasattr(sm, "_extract_api_key_from_request"):
+logger.debug(
+"FAB SecurityManager does not have
_extract_api_key_from_request; "
+"API key authentication is not available in this FAB version"
+)
+else:
+api_key_string = sm._extract_api_key_from_request()
+if api_key_string is not None:
+if not hasattr(sm, "validate_api_key"):
+logger.warning(
+"FAB SecurityManager does not have validate_api_key; "
+"cannot validate API key"
+)
+raise ValueError(
+"API key validation is not available in this FAB
version."
+)
+user = sm.validate_api_key(api_key_string)
+if user:
+# Reload user with all relationships eagerly loaded to
avoid
+# detached-instance errors during later permission checks.
+user_with_rels = load_user_with_relationships(
+username=user.username,
+)
+if user_with_rels is None:
+logger.warning(
+"Failed to reload API key user %s with
relationships; "
+"using original user object which may have
lazy-loaded "
+"relationships",
+user.username,
+)
+return user
+return user_with_rels
+raise ValueError(
+"Invalid or expired API key. "
+"Create a new key at /api/v1/security/api_keys/."
+)
Review Comment:
Good catch. Fixed in commit 0359dad808 — changed `raise ValueError(...)` to
`raise PermissionError(...)` for both API key validation failures. This ensures
the `GlobalErrorHandlerMiddleware` routes these through the `isinstance(error,
PermissionError)` branch (returning "Permission denied") instead of the
`ValueError` branch ("Invalid parameter").
##
superset/migrations/versions/2026-03-13_12-00_f1a2b3c4d5e6_add_fab_api_key_table.py:
##
@@ -0,0 +1,85 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+"""add FAB api key table
+
+Revision ID: f1a2b3c4d5e6
+Revises: a1b2c3d4e5f6
+Create Date: 2026-02-14 12:00:00.00
+
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "f1a2b3c4d5e6"
+down_revision = "a1b2c3d4e5f6"
+
+
+def upgrade() -> None:
+"""Create ab_api_key table for FAB API key authentication.
+
+This table is managed by FAB's SecurityManager. For fresh installs,
+FAB's create_all() handles table creation. This migration ensures
+existing Superset installs get the table on upgrade.
+"""
+conn = op.get_bind()
+inspector = sa.inspect(conn)
+table_exists = "ab_api_key" in inspector.get_table_names()
+
+
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4071389361 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
aminghadersohi commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2943504308
##
superset-frontend/src/features/apiKeys/ApiKeyCreateModal.tsx:
##
@@ -0,0 +1,160 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import { useState } from 'react';
+import { SupersetClient } from '@superset-ui/core';
+import { t } from '@apache-superset/core/translation';
+import { css, useTheme } from '@apache-superset/core/theme';
+import { Alert } from '@apache-superset/core/components';
+import {
+ FormModal,
+ FormItem,
+ Input,
+ Button,
+ Modal,
+} from '@superset-ui/core/components';
+import { useToasts } from 'src/components/MessageToasts/withToasts';
+
+interface ApiKeyCreateModalProps {
+ show: boolean;
+ onHide: () => void;
+ onSuccess: () => void;
+}
+
+interface FormValues {
+ name: string;
+}
+
+export function ApiKeyCreateModal({
+ show,
+ onHide,
+ onSuccess,
+}: ApiKeyCreateModalProps) {
+ const theme = useTheme();
+ const { addDangerToast, addSuccessToast } = useToasts();
+ const [createdKey, setCreatedKey] = useState(null);
+ const [copied, setCopied] = useState(false);
+
+ const handleFormSubmit = async (values: FormValues) => {
+try {
+ const response = await SupersetClient.post({
+endpoint: '/api/v1/security/api_keys/',
+jsonPayload: values,
+ });
+ const key = response.json?.result?.key;
+ if (!key) {
+throw new Error('API response did not include a key');
+ }
+ setCreatedKey(key);
+ addSuccessToast(t('API key created successfully'));
+} catch (error) {
+ addDangerToast(t('Failed to create API key'));
+ throw error;
+}
+ };
+
+ const handleCopyKey = async () => {
+if (!createdKey) {
+ return;
+}
+try {
+ await navigator.clipboard.writeText(createdKey);
+ setCopied(true);
+ setTimeout(() => setCopied(false), 2000);
Review Comment:
Fixed in 8d2a6be — the copy-status timeout is now stored in a `useRef`,
cleared before creating a new one on repeated clicks, and cleaned up on unmount
via `useEffect` return.
##
superset/migrations/versions/2026-03-13_12-00_f1a2b3c4d5e6_add_fab_api_key_table.py:
##
@@ -0,0 +1,75 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+"""add FAB api key table
+
+Revision ID: f1a2b3c4d5e6
+Revises: a1b2c3d4e5f6
+Create Date: 2026-02-14 12:00:00.00
+
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "f1a2b3c4d5e6"
+down_revision = "a1b2c3d4e5f6"
+
+
+def upgrade() -> None:
+"""Create ab_api_key table for FAB API key authentication.
+
+This table is managed by FAB's SecurityManager. For fresh installs,
+FAB's create_all() handles table creation. This migration ensures
+existing Superset installs get the table on upgrade.
+"""
+conn = op.get_bind()
+inspector = sa.inspect(conn)
+if "ab_api_key" in inspector.get_table_names():
+return
+
+op.create_table(
+"ab_api_key",
+sa.Column("id", sa.Integer(), nullable=False),
+sa.Column("uuid", sa.String(length=36), nullable=False),
+sa.Column("name", sa.String(length=256), nullable=False),
+sa.Column("key_hash", sa.String(length=256), nullable=False),
+sa.Column("key_prefix", sa.String(length=16), nullable=False),
+sa.Column("user_id", sa.Integer(), nullable=Fals
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
codeant-ai-for-open-source[bot] commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2943432838
##
superset-frontend/src/features/apiKeys/ApiKeyCreateModal.tsx:
##
@@ -0,0 +1,160 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import { useState } from 'react';
+import { SupersetClient } from '@superset-ui/core';
+import { t } from '@apache-superset/core/translation';
+import { css, useTheme } from '@apache-superset/core/theme';
+import { Alert } from '@apache-superset/core/components';
+import {
+ FormModal,
+ FormItem,
+ Input,
+ Button,
+ Modal,
+} from '@superset-ui/core/components';
+import { useToasts } from 'src/components/MessageToasts/withToasts';
+
+interface ApiKeyCreateModalProps {
+ show: boolean;
+ onHide: () => void;
+ onSuccess: () => void;
+}
+
+interface FormValues {
+ name: string;
+}
+
+export function ApiKeyCreateModal({
+ show,
+ onHide,
+ onSuccess,
+}: ApiKeyCreateModalProps) {
+ const theme = useTheme();
+ const { addDangerToast, addSuccessToast } = useToasts();
+ const [createdKey, setCreatedKey] = useState(null);
+ const [copied, setCopied] = useState(false);
+
+ const handleFormSubmit = async (values: FormValues) => {
+try {
+ const response = await SupersetClient.post({
+endpoint: '/api/v1/security/api_keys/',
+jsonPayload: values,
+ });
+ const key = response.json?.result?.key;
+ if (!key) {
+throw new Error('API response did not include a key');
+ }
+ setCreatedKey(key);
+ addSuccessToast(t('API key created successfully'));
+} catch (error) {
+ addDangerToast(t('Failed to create API key'));
+ throw error;
+}
+ };
+
+ const handleCopyKey = async () => {
+if (!createdKey) {
+ return;
+}
+try {
+ await navigator.clipboard.writeText(createdKey);
+ setCopied(true);
+ setTimeout(() => setCopied(false), 2000);
Review Comment:
**Suggestion:** The copy-status timeout is never cleared, so closing the
modal before the timer fires can trigger a state update after unmount, and
repeated clicks can race with older timers that reset the copied state too
early. Store the timeout id in a ref, clear any existing timer before creating
a new one, and clean it up on unmount. [resource leak]
Severity Level: Major ⚠️
```mdx
- ⚠️ API key modal copy feedback can reset unpredictably.
- ⚠️ Timer callback runs after modal unmount lifecycle.
- ⚠️ Affects UserInfo API Keys panel interaction flow.
```
```suggestion
import { useEffect, useRef, useState } from 'react';
import { SupersetClient } from '@superset-ui/core';
import { t } from '@apache-superset/core/translation';
import { css, useTheme } from '@apache-superset/core/theme';
import { Alert } from '@apache-superset/core/components';
import {
FormModal,
FormItem,
Input,
Button,
Modal,
} from '@superset-ui/core/components';
import { useToasts } from 'src/components/MessageToasts/withToasts';
interface ApiKeyCreateModalProps {
show: boolean;
onHide: () => void;
onSuccess: () => void;
}
interface FormValues {
name: string;
}
export function ApiKeyCreateModal({
show,
onHide,
onSuccess,
}: ApiKeyCreateModalProps) {
const theme = useTheme();
const { addDangerToast, addSuccessToast } = useToasts();
const [createdKey, setCreatedKey] = useState(null);
const [copied, setCopied] = useState(false);
const copiedResetTimeoutRef = useRef |
null>(null);
useEffect(() => {
() => {
if (copiedResetTimeoutRef.current) {
clearTimeout(copiedResetTimeoutRef.current);
}
};
}, []);
const handleFormSubmit = async (values: FormValues) => {
try {
const response = await SupersetClient.post({
endpoint: '/api/v1/security/api_keys/',
jsonPayload: values,
});
const key = response.json?.result?.key;
if (!key) {
throw new Error('API response did not include a key');
}
setCreatedKey(key);
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4058008520 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4057421505 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2932499577
##
superset-frontend/src/features/apiKeys/ApiKeyList.tsx:
##
@@ -0,0 +1,233 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import { useEffect, useRef, useState } from 'react';
+import { SupersetClient } from '@superset-ui/core';
+import { t } from '@apache-superset/core/translation';
+import { css, useTheme } from '@apache-superset/core/theme';
+import {
+ Button,
+ Table,
+ Modal,
+ Tag,
+ Tooltip,
+} from '@superset-ui/core/components';
+import { useToasts } from 'src/components/MessageToasts/withToasts';
+import { ApiKeyCreateModal } from './ApiKeyCreateModal';
+
+export interface ApiKey {
+ uuid: string;
+ name: string;
+ key_prefix: string;
+ active: boolean;
+ created_on: string;
+ expires_on: string | null;
+ revoked_on: string | null;
+ last_used_on: string | null;
+ scopes: string | null;
+}
+
+export function ApiKeyList() {
+ const theme = useTheme();
+ const { addDangerToast, addSuccessToast } = useToasts();
+ const [apiKeys, setApiKeys] = useState([]);
+ const [loading, setLoading] = useState(false);
+ const [showCreateModal, setShowCreateModal] = useState(false);
+ const fetchCounterRef = useRef(0);
+
+ async function fetchApiKeys() {
+fetchCounterRef.current += 1;
+const thisRequest = fetchCounterRef.current;
+setLoading(true);
+try {
+ const response = await SupersetClient.get({
+endpoint: '/api/v1/security/api_keys/',
+ });
+ // Only apply results if this is still the most recent request
+ if (thisRequest === fetchCounterRef.current) {
+setApiKeys(response.json.result || []);
+ }
+} catch (error) {
+ if (thisRequest === fetchCounterRef.current) {
+addDangerToast(t('Failed to fetch API keys'));
+ }
+} finally {
+ if (thisRequest === fetchCounterRef.current) {
+setLoading(false);
+ }
+}
+ }
+
+ useEffect(() => {
+fetchApiKeys();
+// eslint-disable-next-line react-hooks/exhaustive-deps
+ }, []);
+
+ function handleRevokeKey(keyUuid: string) {
+Modal.confirm({
+ title: t('Revoke API Key'),
+ content: t(
+'Are you sure you want to revoke this API key? This action cannot be
undone.',
+ ),
+ okText: t('Revoke'),
+ okType: 'danger',
+ cancelText: t('Cancel'),
+ onOk: async () => {
+try {
+ await SupersetClient.delete({
+endpoint: `/api/v1/security/api_keys/${keyUuid}`,
+ });
+ addSuccessToast(t('API key revoked successfully'));
+ fetchApiKeys();
+} catch (error) {
+ addDangerToast(t('Failed to revoke API key'));
+}
+ },
+});
+ }
+
+ const formatDate = (dateString: string | null) => {
+if (!dateString) return '-';
+return new Date(dateString).toLocaleDateString(undefined, {
+ year: 'numeric',
+ month: 'short',
+ day: 'numeric',
+});
+ };
+
+ const getStatusBadge = (key: ApiKey) => {
+if (key.revoked_on) {
+ return {t('Revoked')};
+}
+if (key.expires_on && new Date(key.expires_on) < new Date()) {
+ return {t('Expired')};
+}
+return {t('Active')};
+ };
Review Comment:
Missing active status check
The getStatusBadge function overlooks the 'active' field, potentially
displaying 'Active' for keys that are actually inactive. This could mislead
users about key validity. It looks like the API includes an 'active' boolean,
so checking it first ensures accurate status representation.
Code suggestion
Check the AI-generated fix before applying
suggestion
const getStatusBadge = (key: ApiKey) => {
if (!key.active) {
return {t('Inactive')};
}
if (key.revoked_on) {
return {t('Revoked')};
}
if (key.expires_on && new Date(key.expires_on) < new Date()) {
return {t('Expired')};
}
return {t('Active')};
};
Code Review Run #087239
---
Should Bi
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4056382137 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
aminghadersohi commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2932095852
##
superset-frontend/src/features/apiKeys/ApiKeyList.tsx:
##
@@ -0,0 +1,223 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import { useEffect, useState } from 'react';
+import { SupersetClient } from '@superset-ui/core';
+import { t } from '@apache-superset/core/translation';
+import { css, useTheme } from '@apache-superset/core/theme';
+import {
+ Button,
+ Table,
+ Modal,
+ Tag,
+ Tooltip,
+} from '@superset-ui/core/components';
+import { useToasts } from 'src/components/MessageToasts/withToasts';
+import { ApiKeyCreateModal } from './ApiKeyCreateModal';
+
+export interface ApiKey {
+ uuid: string;
+ name: string;
+ key_prefix: string;
+ active: boolean;
+ created_on: string;
+ expires_on: string | null;
+ revoked_on: string | null;
+ last_used_on: string | null;
+ scopes: string | null;
+}
+
+export function ApiKeyList() {
+ const theme = useTheme();
+ const { addDangerToast, addSuccessToast } = useToasts();
+ const [apiKeys, setApiKeys] = useState([]);
+ const [loading, setLoading] = useState(false);
+ const [showCreateModal, setShowCreateModal] = useState(false);
+
+ async function fetchApiKeys() {
+setLoading(true);
+try {
+ const response = await SupersetClient.get({
+endpoint: '/api/v1/security/api_keys/',
+ });
+ setApiKeys(response.json.result || []);
+} catch (error) {
+ addDangerToast(t('Failed to fetch API keys'));
+} finally {
+ setLoading(false);
+}
Review Comment:
The fetchApiKeys call is triggered by a single useEffect on mount and by
explicit user actions (create/delete). There's no path where concurrent calls
happen naturally. The loading state correctly wraps the async operation. If
this becomes an issue with future features, we can add an AbortController
pattern, but for the current usage it's safe.
##
superset/mcp_service/auth.py:
##
@@ -192,6 +209,41 @@ def get_user_from_request() -> User:
if hasattr(g, "user") and g.user:
return g.user
+# Try API key authentication via FAB SecurityManager
+# Only attempt when in a request context (not for MCP internal operations
+# like tool discovery that run with only an application context)
+# Avoid circular import: superset/__init__.py imports create_app which
+# depends on the MCP service module tree during app initialization.
+from superset import is_feature_enabled
+
+if is_feature_enabled("FAB_API_KEY_ENABLED") and has_request_context():
Review Comment:
Good observation. The MCP auth layer checks
`is_feature_enabled('FAB_API_KEY_ENABLED')` which reads from Superset's feature
flags config. The FAB backend validation uses the Flask config key directly.
Both are set through `superset_config.py` so they're consistent in practice.
The feature flag check in MCP auth is an additional guard — if the flag is off,
MCP won't attempt API key auth at all, which is the desired behavior.
##
superset/mcp_service/auth.py:
##
@@ -192,6 +209,41 @@ def get_user_from_request() -> User:
if hasattr(g, "user") and g.user:
return g.user
+# Try API key authentication via FAB SecurityManager
+# Only attempt when in a request context (not for MCP internal operations
+# like tool discovery that run with only an application context)
+# Avoid circular import: superset/__init__.py imports create_app which
+# depends on the MCP service module tree during app initialization.
+from superset import is_feature_enabled
+
+if is_feature_enabled("FAB_API_KEY_ENABLED") and has_request_context():
+sm = current_app.appbuilder.sm
+# _extract_api_key_from_request is FAB's internal method for reading
+# the Bearer token from the Authorization header and matching prefixes.
+# No public API is exposed for this; see FAB SecurityManager.
+api_key_string = sm._extract_api_key_from_request()
Review Comment:
The code already wraps the call in a try/except that catches AttributeError
— if the method doesn't exist in a given FAB ver
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4055773107 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
codeant-ai-for-open-source[bot] commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2931372691
##
superset-frontend/src/features/apiKeys/ApiKeyList.tsx:
##
@@ -0,0 +1,233 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import { useEffect, useRef, useState } from 'react';
+import { SupersetClient } from '@superset-ui/core';
+import { t } from '@apache-superset/core/translation';
+import { css, useTheme } from '@apache-superset/core/theme';
+import {
+ Button,
+ Table,
+ Modal,
+ Tag,
+ Tooltip,
+} from '@superset-ui/core/components';
+import { useToasts } from 'src/components/MessageToasts/withToasts';
+import { ApiKeyCreateModal } from './ApiKeyCreateModal';
+
+export interface ApiKey {
+ uuid: string;
+ name: string;
+ key_prefix: string;
+ active: boolean;
+ created_on: string;
+ expires_on: string | null;
+ revoked_on: string | null;
+ last_used_on: string | null;
+ scopes: string | null;
+}
+
+export function ApiKeyList() {
+ const theme = useTheme();
+ const { addDangerToast, addSuccessToast } = useToasts();
+ const [apiKeys, setApiKeys] = useState([]);
+ const [loading, setLoading] = useState(false);
+ const [showCreateModal, setShowCreateModal] = useState(false);
+ const fetchCounterRef = useRef(0);
+
+ async function fetchApiKeys() {
+fetchCounterRef.current += 1;
+const thisRequest = fetchCounterRef.current;
+setLoading(true);
+try {
+ const response = await SupersetClient.get({
+endpoint: '/api/v1/security/api_keys/',
+ });
+ // Only apply results if this is still the most recent request
+ if (thisRequest === fetchCounterRef.current) {
+setApiKeys(response.json.result || []);
+ }
+} catch (error) {
+ if (thisRequest === fetchCounterRef.current) {
+addDangerToast(t('Failed to fetch API keys'));
+ }
+} finally {
+ if (thisRequest === fetchCounterRef.current) {
+setLoading(false);
+ }
+}
+ }
+
+ useEffect(() => {
+fetchApiKeys();
+// eslint-disable-next-line react-hooks/exhaustive-deps
+ }, []);
Review Comment:
**Suggestion:** The pending fetch request is not invalidated on unmount, so
a late response can still call state setters and trigger toasts after the
component is gone. Add an effect cleanup that bumps the request counter to
cancel in-flight updates for unmounted components. [resource leak]
Severity Level: Major ⚠️
```mdx
- ⚠️ API Keys fetch errors toast after leaving page.
- ⚠️ Unmounted component still executes stale async callbacks.
```
```suggestion
useEffect(() => {
fetchApiKeys();
return () => {
fetchCounterRef.current += 1;
};
// eslint-disable-next-line react-hooks/exhaustive-deps
}, []);
```
Steps of Reproduction ✅
```mdx
1. Open the User Info SPA route `/user_info/` (registered in
`superset-frontend/src/views/routes.tsx:324`) with
`FeatureFlag.FabApiKeyEnabled` enabled.
2. `UserInfo` renders `` inside the API Keys panel
(`superset-frontend/src/pages/UserInfo/index.tsx:222-228`), and `ApiKeyList`
immediately
calls `fetchApiKeys()` in `useEffect`
(`superset-frontend/src/features/apiKeys/ApiKeyList.tsx:76-79`).
3. While `SupersetClient.get('/api/v1/security/api_keys/')` is still pending
(`ApiKeyList.tsx:58-60`), navigate away to another route so `ApiKeyList`
unmounts.
4. When the request resolves/rejects, `thisRequest ===
fetchCounterRef.current` is still
true (no unmount invalidation), so callbacks still run `setApiKeys` /
`addDangerToast` /
`setLoading` (`ApiKeyList.tsx:63,67,71`), producing post-unmount side
effects (e.g., toast
on unrelated page).
```
Prompt for AI Agent 🤖
```mdx
This is a comment left during a code review.
**Path:** superset-frontend/src/features/apiKeys/ApiKeyList.tsx
**Line:** 76:79
**Comment:**
*Resource Leak: The pending fetch request is not invalidated on
unmount, so a late response can still call state setters and trigger toasts
after the component is gone. Add an effect cleanup that bu
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
codeant-ai-for-open-source[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4055222834 ## **Sequence Diagram** This PR adds API key support end to end: users can manage keys from the User Info page, and those keys are then accepted for authenticated access to protected APIs. The core change is delegating key validation and RBAC checks to FAB SecurityManager so existing protected endpoints work without per view changes. ```mermaid sequenceDiagram participant User participant UserInfoPage participant SupersetBackend participant FABSecurityManager participant ClientScript participant ProtectedAPI User->>UserInfoPage: Open profile with API keys enabled UserInfoPage->>SupersetBackend: List existing API keys User->>UserInfoPage: Create new API key UserInfoPage->>SupersetBackend: Submit create API key request SupersetBackend->>FABSecurityManager: Create key record and hash FABSecurityManager-->>UserInfoPage: Return one time API key ClientScript->>ProtectedAPI: Call endpoint with bearer API key ProtectedAPI->>FABSecurityManager: Validate key and load user permissions FABSecurityManager-->>ProtectedAPI: Authenticated user with RBAC context ProtectedAPI-->>ClientScript: Authorized API response ``` --- *Generated by [CodeAnt AI](https://codeant.ai)* -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4054911677 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
codeant-ai-for-open-source[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4054576616 ## **Sequence Diagram** This PR adds API key management in the user profile and routes API key authentication through FAB SecurityManager so protected Superset APIs can be accessed programmatically. The core flow is key creation in UI followed by bearer key validation and RBAC enforcement on API requests. ```mermaid sequenceDiagram participant User participant UserInfoPage participant SecurityAPI participant Automation participant SupersetAPI participant FABSecurityManager User->>UserInfoPage: Open API Keys section UserInfoPage->>SecurityAPI: List create and revoke API keys SecurityAPI-->>UserInfoPage: Return key metadata and new key once Automation->>SupersetAPI: Call protected endpoint with bearer API key SupersetAPI->>FABSecurityManager: Validate API key and check access FABSecurityManager-->>SupersetAPI: Return authenticated user context SupersetAPI-->>Automation: Return authorized API response ``` --- *Generated by [CodeAnt AI](https://codeant.ai)* -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4054555363 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
codeant-ai-for-open-source[bot] commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2930449578
##
superset-frontend/src/features/apiKeys/ApiKeyList.tsx:
##
@@ -0,0 +1,223 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import { useEffect, useState } from 'react';
+import { SupersetClient } from '@superset-ui/core';
+import { t } from '@apache-superset/core/translation';
+import { css, useTheme } from '@apache-superset/core/theme';
+import {
+ Button,
+ Table,
+ Modal,
+ Tag,
+ Tooltip,
+} from '@superset-ui/core/components';
+import { useToasts } from 'src/components/MessageToasts/withToasts';
+import { ApiKeyCreateModal } from './ApiKeyCreateModal';
+
+export interface ApiKey {
+ uuid: string;
+ name: string;
+ key_prefix: string;
+ active: boolean;
+ created_on: string;
+ expires_on: string | null;
+ revoked_on: string | null;
+ last_used_on: string | null;
+ scopes: string | null;
+}
+
+export function ApiKeyList() {
+ const theme = useTheme();
+ const { addDangerToast, addSuccessToast } = useToasts();
+ const [apiKeys, setApiKeys] = useState([]);
+ const [loading, setLoading] = useState(false);
+ const [showCreateModal, setShowCreateModal] = useState(false);
+
+ async function fetchApiKeys() {
+setLoading(true);
+try {
+ const response = await SupersetClient.get({
+endpoint: '/api/v1/security/api_keys/',
+ });
+ setApiKeys(response.json.result || []);
+} catch (error) {
+ addDangerToast(t('Failed to fetch API keys'));
+} finally {
+ setLoading(false);
+}
Review Comment:
**Suggestion:** Concurrent `fetchApiKeys` calls can resolve out of order and
overwrite newer data with stale results, and they also toggle loading state
incorrectly when requests overlap. Track the latest request and only apply
`setApiKeys`/`setLoading(false)` for the most recent call. [race condition]
Severity Level: Major ⚠️
```mdx
- ⚠️ API key list can revert to stale data.
- ⚠️ Loading spinner can hide during active fetch.
- ⚠️ Create/revoke feedback may not match displayed table.
```
```suggestion
const [apiKeys, setApiKeys] = useState([]);
const [loading, setLoading] = useState(false);
const [showCreateModal, setShowCreateModal] = useState(false);
const latestFetchIdRef = useRef(0);
async function fetchApiKeys() {
const fetchId = ++latestFetchIdRef.current;
setLoading(true);
try {
const response = await SupersetClient.get({
endpoint: '/api/v1/security/api_keys/',
});
if (fetchId === latestFetchIdRef.current) {
setApiKeys(response.json.result || []);
}
} catch (error) {
addDangerToast(t('Failed to fetch API keys'));
} finally {
if (fetchId === latestFetchIdRef.current) {
setLoading(false);
}
}
}
```
Steps of Reproduction ✅
```mdx
1. Open `/user_info/` route (registered at
`superset-frontend/src/views/routes.tsx:25` in
the shown snippet, path `/user_info/`), which lazy-loads
`src/pages/UserInfo` and renders
`ApiKeyList` when `FeatureFlag.FabApiKeyEnabled` is true
(`superset-frontend/src/pages/UserInfo/index.tsx:216-221`).
2. On mount, `ApiKeyList` immediately starts request A via `useEffect ->
fetchApiKeys()`
(`ApiKeyList.tsx:66-68`, request at `55-57`).
3. Before request A finishes (slow network), create a key from the same
view: click
"Create API Key" (`ApiKeyList.tsx:199-201`), submit modal
(`ApiKeyCreateModal.tsx:52-57`),
then close modal; this triggers `onSuccess()`
(`ApiKeyCreateModal.tsx:78-81`) which calls
`fetchApiKeys()` again as request B (`ApiKeyList.tsx:216-218`).
4. If request B returns first, list is updated; if slower request A returns
afterward,
`setApiKeys(...)` (`ApiKeyList.tsx:58`) overwrites newer data with stale
results, and each
request independently runs `setLoading(false)` (`ApiKeyList.tsx:62`), so
spinner can clear
while another fetch is still in flight.
```
Prompt for AI Agent 🤖
```mdx
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
codeant-ai-for-open-source[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4054223398 ## **Sequence Diagram** This PR adds API key support end to end: users can create keys from the User Info page, and clients can use those keys to access protected Superset APIs. Authentication is delegated to Flask AppBuilder SecurityManager so existing protected endpoints enforce access without per-view changes. ```mermaid sequenceDiagram participant User participant UserInfoPage participant SecurityAPI participant FABSecurityManager participant AutomationClient participant ProtectedAPI User->>UserInfoPage: Create API key UserInfoPage->>SecurityAPI: Send create key request SecurityAPI->>FABSecurityManager: Generate key and store hash FABSecurityManager-->>UserInfoPage: Return new key once AutomationClient->>ProtectedAPI: Call API with bearer key ProtectedAPI->>FABSecurityManager: Extract and validate API key FABSecurityManager-->>ProtectedAPI: Return authenticated user and roles ProtectedAPI-->>AutomationClient: Return response when access is allowed ``` --- *Generated by [CodeAnt AI](https://codeant.ai)* -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2930391934
##
superset-frontend/src/pages/UserInfo/index.tsx:
##
@@ -159,7 +164,10 @@ export function UserInfo({ user }: { user:
UserWithPermissionsAndRoles }) {
{t('Your user information')}
-
+
Review Comment:
Yes, calling hooks unconditionally at the top of the component while
conditionally rendering UI follows React's rules of hooks, as hooks must be
called in the same order every render.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
aminghadersohi commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2930382798
##
superset-frontend/src/pages/UserInfo/index.tsx:
##
@@ -159,7 +164,10 @@ export function UserInfo({ user }: { user:
UserWithPermissionsAndRoles }) {
{t('Your user information')}
-
+
Review Comment:
The useApiKeyContext hook is called unconditionally at the top of the
component. The conditional logic is only around the UI rendering
(showing/hiding the API key section), not the hook call itself. This follows
React rules of hooks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2927552670
##
superset-frontend/src/pages/UserInfo/index.tsx:
##
@@ -159,7 +164,10 @@ export function UserInfo({ user }: { user:
UserWithPermissionsAndRoles }) {
{t('Your user information')}
-
+
Review Comment:
Conditional defaultActiveKey mismatch
The defaultActiveKey array unconditionally includes 'apiKeys', but the
corresponding Collapse.Panel is only rendered when
isFeatureEnabled(FeatureFlag.FabApiKeyEnabled) is true. This mismatch can cause
React warnings or unexpected collapse behavior when the feature flag is
disabled. Update defaultActiveKey to conditionally include 'apiKeys' based on
the feature flag.
Code suggestion
Check the AI-generated fix before applying
suggestion
Code Review Run #676a5d
---
Should Bito avoid suggestions like this for future reviews? (https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules)
- [ ] Yes, avoid them
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4050215704 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4031442148 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973: URL: https://github.com/apache/superset/pull/37973#discussion_r2911784319 ## tests/unit_tests/security/api_test.py: ## @@ -39,3 +40,21 @@ def test_csrf_not_exempt(app_context: None) -> None: "PermissionApi", "ViewMenuApi", } + + [email protected]( +"app", +[ Review Comment: Yes, the suggestion is valid — adding `app` to the function signature ensures the indirect parametrization passes the config dict to the `app` fixture, as the parameter name must match the fixture for indirect parametrization to work. **tests/unit_tests/security/api_test.py** ``` @pytest.mark.parametrize( "app", [ { "WTF_CSRF_ENABLED": True, "FAB_API_KEY_ENABLED": True, } ], indirect=True, ) def test_csrf_exempt_blueprints_with_api_key(app: Any, app_context: None) -> None: ``` ## superset/mcp_service/auth.py: ## @@ -107,6 +116,33 @@ def get_user_from_request() -> User: if hasattr(g, "user") and g.user: return g.user +# Try API key authentication via FAB SecurityManager +# Only attempt when in a request context (not for MCP internal operations +# like tool discovery that run with only an application context) +# Avoid circular import: superset/__init__.py imports create_app which +# depends on the MCP service module tree during app initialization. +from superset import is_feature_enabled + +if is_feature_enabled("FAB_API_KEY_ENABLED") and has_request_context(): +sm = current_app.appbuilder.sm +# _extract_api_key_from_request is FAB's internal method for reading +# the Bearer token from the Authorization header and matching prefixes. +# No public API is exposed for this; see FAB SecurityManager. +api_key_string = sm._extract_api_key_from_request() +if api_key_string is not None: +user = sm.validate_api_key(api_key_string) +if user: +# Reload user with all relationships eagerly loaded to avoid +# detached-instance errors during later permission checks. +user_with_rels = load_user_with_relationships( +username=user.username, +) +return user_with_rels or user Review Comment: The change improves resilience by logging a warning and falling back to the original user object when `load_user_with_relationships` fails, instead of raising an error. This keeps API key auth working while making lazy-load issues diagnosable via logs. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2911772369
##
superset/migrations/versions/2026-02-14_12-00_f1a2b3c4d5e6_add_fab_api_key_table.py:
##
@@ -0,0 +1,71 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+"""add FAB api key table
+
+Revision ID: f1a2b3c4d5e6
+Revises: 4b2a8c9d3e1f
+Create Date: 2026-02-14 12:00:00.00
+
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "f1a2b3c4d5e6"
+down_revision = "4b2a8c9d3e1f"
+
+
+def upgrade():
+"""Create ab_api_key table for FAB API key authentication.
+
+This table is managed by FAB's SecurityManager. For fresh installs,
+FAB's create_all() handles table creation. This migration ensures
+existing Superset installs get the table on upgrade.
+"""
+conn = op.get_bind()
+inspector = sa.inspect(conn)
+if "ab_api_key" in inspector.get_table_names():
+return
+
+op.create_table(
+"ab_api_key",
+sa.Column("id", sa.Integer(), nullable=False),
+sa.Column("uuid", sa.String(length=36), nullable=False),
+sa.Column("name", sa.String(length=256), nullable=False),
+sa.Column("key_hash", sa.String(length=256), nullable=False),
+sa.Column("key_prefix", sa.String(length=16), nullable=False),
+sa.Column("user_id", sa.Integer(), nullable=False),
+sa.Column("scopes", sa.Text(), nullable=True),
+sa.Column("active", sa.Boolean(), nullable=False, server_default="1"),
Review Comment:
Yes, the suggestion is valid — it replaces sa.text("true") with sa.true()
for proper cross-database boolean default compatibility in SQLAlchemy.
##
superset/migrations/versions/2026-02-14_12-00_f1a2b3c4d5e6_add_fab_api_key_table.py:
##
@@ -0,0 +1,73 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+"""add FAB api key table
+
+Revision ID: f1a2b3c4d5e6
+Revises: a1b2c3d4e5f6
+Create Date: 2026-02-14 12:00:00.00
+
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "f1a2b3c4d5e6"
+down_revision = "a1b2c3d4e5f6"
+
+
+def upgrade() -> None:
+"""Create ab_api_key table for FAB API key authentication.
+
+This table is managed by FAB's SecurityManager. For fresh installs,
+FAB's create_all() handles table creation. This migration ensures
+existing Superset installs get the table on upgrade.
+"""
+conn = op.get_bind()
+inspector = sa.inspect(conn)
+if "ab_api_key" in inspector.get_table_names():
+return
+
+op.create_table(
+"ab_api_key",
+sa.Column("id", sa.Integer(), nullable=False),
+sa.Column("uuid", sa.String(length=36), nullable=False),
+sa.Column("name", sa.String(length=256), nullable=False),
+sa.Column("key_hash", sa.String(length=256), nullable=False),
+sa.Column("key_prefix", sa.String(length=16), nullable=False),
+sa.Column("user_id", sa.Integer(), nullable=False),
+sa.Column("scopes", sa.Text(), nullable=True),
+sa.Column(
+"active", sa.Boolean(), nullable=False,
server_default=sa.text("true")
Review Comment:
This question isn’t related to the pull request. I can only help with
questions about the PR’s code or comments.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
aminghadersohi commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2911773199
##
superset-frontend/src/features/apiKeys/ApiKeyList.tsx:
##
@@ -0,0 +1,224 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import { useEffect, useState } from 'react';
+import { SupersetClient } from '@superset-ui/core';
+import { t } from '@apache-superset/core/translation';
+import { css, useTheme } from '@apache-superset/core/theme';
+import {
+ Button,
+ Table,
+ Modal,
+ Tag,
+ Tooltip,
+} from '@superset-ui/core/components';
+import { useToasts } from 'src/components/MessageToasts/withToasts';
+import { ApiKeyCreateModal } from './ApiKeyCreateModal';
+
+export interface ApiKey {
+ uuid: string;
+ name: string;
+ key_prefix: string;
+ active: boolean;
+ created_on: string;
+ expires_on: string | null;
+ revoked_on: string | null;
+ last_used_on: string | null;
+ scopes: string | null;
+}
+
+export function ApiKeyList() {
+ const theme = useTheme();
+ const { addDangerToast, addSuccessToast } = useToasts();
+ const [apiKeys, setApiKeys] = useState([]);
+ const [loading, setLoading] = useState(false);
+ const [showCreateModal, setShowCreateModal] = useState(false);
+
+ async function fetchApiKeys() {
+setLoading(true);
+try {
+ const response = await SupersetClient.get({
+endpoint: '/api/v1/security/api_keys/',
+ });
+ setApiKeys(response.json.result || []);
+} catch (error) {
+ addDangerToast(t('Failed to fetch API keys'));
+} finally {
+ setLoading(false);
+}
+ }
+
+ useEffect(() => {
+fetchApiKeys();
+// eslint-disable-next-line react-hooks/exhaustive-deps
+ }, []);
+
+ function handleRevokeKey(keyUuid: string) {
+Modal.confirm({
+ title: t('Revoke API Key'),
+ content: t(
+'Are you sure you want to revoke this API key? This action cannot be
undone.',
+ ),
+ okText: t('Revoke'),
+ okType: 'danger',
+ cancelText: t('Cancel'),
+ onOk: async () => {
+try {
+ await SupersetClient.delete({
+endpoint: `/api/v1/security/api_keys/${keyUuid}`,
+ });
+ addSuccessToast(t('API key revoked successfully'));
+ fetchApiKeys();
+} catch (error) {
+ addDangerToast(t('Failed to revoke API key'));
+}
+ },
+});
+ }
+
+ const formatDate = (dateString: string | null) => {
+if (!dateString) return '-';
+return new Date(dateString).toLocaleDateString(undefined, {
+ year: 'numeric',
+ month: 'short',
+ day: 'numeric',
+});
+ };
+
+ const getStatusBadge = (key: ApiKey) => {
+if (key.revoked_on) {
+ return {t('Revoked')};
+}
+if (key.expires_on && new Date(key.expires_on) < new Date()) {
+ return {t('Expired')};
+}
+return {t('Active')};
+ };
+
+ const columns = [
+{
+ title: t('Name'),
+ dataIndex: 'name',
+ key: 'name',
+},
+{
+ title: t('Key Prefix'),
+ dataIndex: 'key_prefix',
+ key: 'key_prefix',
+ render: (prefix: string) => (
+
+ {prefix}...
+
+ ),
+},
+{
+ title: t('Created'),
+ dataIndex: 'created_on',
+ key: 'created_on',
+ render: formatDate,
+},
+{
+ title: t('Last Used'),
+ dataIndex: 'last_used_on',
+ key: 'last_used_on',
+ render: formatDate,
+},
+{
+ title: t('Status'),
+ key: 'status',
+ render: (_: unknown, record: ApiKey) => getStatusBadge(record),
+},
+{
+ title: t('Actions'),
+ key: 'actions',
+ render: (_: unknown, record: ApiKey) => (
+<>
+ {!record.revoked_on && (
+
+ handleRevokeKey(record.uuid)}
+ >
+{t('Revoke')}
+
+
+ )}
+
+ ),
+},
+ ];
+
+ return (
+
+
+
+
+{t('API keys allow scoped programmatic access to Superset.')}
+
+
+{t('Keys are shown only once at creation. Store them securely.')}
+
+
+ setShowCreateModal(true
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
aminghadersohi commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2911768230
##
superset/migrations/versions/2026-02-14_12-00_f1a2b3c4d5e6_add_fab_api_key_table.py:
##
@@ -0,0 +1,71 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+"""add FAB api key table
+
+Revision ID: f1a2b3c4d5e6
+Revises: 4b2a8c9d3e1f
+Create Date: 2026-02-14 12:00:00.00
+
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "f1a2b3c4d5e6"
+down_revision = "4b2a8c9d3e1f"
+
+
+def upgrade():
+"""Create ab_api_key table for FAB API key authentication.
+
+This table is managed by FAB's SecurityManager. For fresh installs,
+FAB's create_all() handles table creation. This migration ensures
+existing Superset installs get the table on upgrade.
+"""
+conn = op.get_bind()
+inspector = sa.inspect(conn)
+if "ab_api_key" in inspector.get_table_names():
+return
+
+op.create_table(
+"ab_api_key",
+sa.Column("id", sa.Integer(), nullable=False),
+sa.Column("uuid", sa.String(length=36), nullable=False),
+sa.Column("name", sa.String(length=256), nullable=False),
+sa.Column("key_hash", sa.String(length=256), nullable=False),
+sa.Column("key_prefix", sa.String(length=16), nullable=False),
+sa.Column("user_id", sa.Integer(), nullable=False),
+sa.Column("scopes", sa.Text(), nullable=True),
+sa.Column("active", sa.Boolean(), nullable=False, server_default="1"),
Review Comment:
Fixed — changed `server_default=sa.text("true")` to
`server_default=sa.true()` for proper cross-database Boolean compatibility.
##
superset/migrations/versions/2026-02-14_12-00_f1a2b3c4d5e6_add_fab_api_key_table.py:
##
@@ -0,0 +1,73 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+"""add FAB api key table
+
+Revision ID: f1a2b3c4d5e6
+Revises: a1b2c3d4e5f6
+Create Date: 2026-02-14 12:00:00.00
+
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "f1a2b3c4d5e6"
+down_revision = "a1b2c3d4e5f6"
+
+
+def upgrade() -> None:
+"""Create ab_api_key table for FAB API key authentication.
+
+This table is managed by FAB's SecurityManager. For fresh installs,
+FAB's create_all() handles table creation. This migration ensures
+existing Superset installs get the table on upgrade.
+"""
+conn = op.get_bind()
+inspector = sa.inspect(conn)
+if "ab_api_key" in inspector.get_table_names():
+return
+
+op.create_table(
+"ab_api_key",
+sa.Column("id", sa.Integer(), nullable=False),
+sa.Column("uuid", sa.String(length=36), nullable=False),
+sa.Column("name", sa.String(length=256), nullable=False),
+sa.Column("key_hash", sa.String(length=256), nullable=False),
+sa.Column("key_prefix", sa.String(length=16), nullable=False),
+sa.Column("user_id", sa.Integer(), nullable=False),
+sa.Column("scopes", sa.Text(), nullable=True),
+sa.Column(
+"active", sa.Boolean(), nullable=False,
server_default=sa.text("true")
Review Comment:
Fixed in latest commit — changed to `server_default=sa.true()` for proper
cross-database Boolean compatibility.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to g
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
aminghadersohi commented on code in PR #37973: URL: https://github.com/apache/superset/pull/37973#discussion_r2911776071 ## tests/unit_tests/security/api_test.py: ## @@ -39,3 +40,21 @@ def test_csrf_not_exempt(app_context: None) -> None: "PermissionApi", "ViewMenuApi", } + + [email protected]( +"app", +[ Review Comment: Fixed — added `app` to the function signature so the indirect parametrize correctly passes the config dict to the `app` fixture. Previously the parametrized config may not have been applied since the test function only declared `app_context`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
aminghadersohi commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2911770428
##
superset/mcp_service/auth.py:
##
@@ -107,6 +116,33 @@ def get_user_from_request() -> User:
if hasattr(g, "user") and g.user:
return g.user
+# Try API key authentication via FAB SecurityManager
+# Only attempt when in a request context (not for MCP internal operations
+# like tool discovery that run with only an application context)
+# Avoid circular import: superset/__init__.py imports create_app which
+# depends on the MCP service module tree during app initialization.
+from superset import is_feature_enabled
+
+if is_feature_enabled("FAB_API_KEY_ENABLED") and has_request_context():
+sm = current_app.appbuilder.sm
+# _extract_api_key_from_request is FAB's internal method for reading
+# the Bearer token from the Authorization header and matching prefixes.
+# No public API is exposed for this; see FAB SecurityManager.
+api_key_string = sm._extract_api_key_from_request()
+if api_key_string is not None:
+user = sm.validate_api_key(api_key_string)
+if user:
+# Reload user with all relationships eagerly loaded to avoid
+# detached-instance errors during later permission checks.
+user_with_rels = load_user_with_relationships(
+username=user.username,
+)
+return user_with_rels or user
Review Comment:
Good catch — added explicit warning logging when
`load_user_with_relationships` fails after API key validation, instead of
silently falling back. The fallback still returns the original user object for
resilience, but the warning makes it visible in logs so lazy-load issues can be
diagnosed.
##
superset-frontend/src/features/apiKeys/ApiKeyList.tsx:
##
@@ -0,0 +1,224 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import { useEffect, useState } from 'react';
+import { SupersetClient } from '@superset-ui/core';
+import { t } from '@apache-superset/core/translation';
+import { css, useTheme } from '@apache-superset/core/theme';
+import {
+ Button,
+ Table,
+ Modal,
+ Tag,
+ Tooltip,
+} from '@superset-ui/core/components';
+import { useToasts } from 'src/components/MessageToasts/withToasts';
+import { ApiKeyCreateModal } from './ApiKeyCreateModal';
+
+export interface ApiKey {
+ uuid: string;
+ name: string;
+ key_prefix: string;
+ active: boolean;
+ created_on: string;
+ expires_on: string | null;
+ revoked_on: string | null;
+ last_used_on: string | null;
+ scopes: string | null;
+}
+
+export function ApiKeyList() {
+ const theme = useTheme();
+ const { addDangerToast, addSuccessToast } = useToasts();
+ const [apiKeys, setApiKeys] = useState([]);
+ const [loading, setLoading] = useState(false);
+ const [showCreateModal, setShowCreateModal] = useState(false);
+
+ async function fetchApiKeys() {
+setLoading(true);
+try {
+ const response = await SupersetClient.get({
+endpoint: '/api/v1/security/api_keys/',
+ });
+ setApiKeys(response.json.result || []);
+} catch (error) {
+ addDangerToast(t('Failed to fetch API keys'));
+} finally {
+ setLoading(false);
+}
+ }
+
+ useEffect(() => {
+fetchApiKeys();
+// eslint-disable-next-line react-hooks/exhaustive-deps
+ }, []);
+
+ function handleRevokeKey(keyUuid: string) {
+Modal.confirm({
+ title: t('Revoke API Key'),
+ content: t(
+'Are you sure you want to revoke this API key? This action cannot be
undone.',
+ ),
+ okText: t('Revoke'),
+ okType: 'danger',
+ cancelText: t('Cancel'),
+ onOk: async () => {
+try {
+ await SupersetClient.delete({
+endpoint: `/api/v1/security/api_keys/${keyUuid}`,
+ });
+ addSuccessToast(t('API key revoked successfully'));
+ fetchApiKeys();
+} catch (error) {
+ addDangerToast(t('Failed to revoke API key'));
+}
+ },
+});
+ }
+
+ const formatDate = (dateString: string | null) => {
+
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973: URL: https://github.com/apache/superset/pull/37973#discussion_r2911195100 ## tests/unit_tests/security/api_test.py: ## @@ -39,3 +40,21 @@ def test_csrf_not_exempt(app_context: None) -> None: "PermissionApi", "ViewMenuApi", } + + [email protected]( +"app", +[ Review Comment: Incorrect pytest parametrize for indirect fixture The parametrize decorator uses 'app' as the parameter name, but the function parameter is 'app_context'. With indirect=True, this attempts to pass the config to a non-existent 'app' fixture, causing test failure. Update to 'app_context' to correctly parametrize the app_context fixture. Code suggestion Check the AI-generated fix before applying suggestion @pytest.mark.parametrize( "app_context", [ Code Review Run #a23777 --- Should Bito avoid suggestions like this for future reviews? (https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules) - [ ] Yes, avoid them -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4030581703 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
codeant-ai-for-open-source[bot] commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2910647663
##
superset-frontend/src/features/apiKeys/ApiKeyList.tsx:
##
@@ -0,0 +1,224 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import { useEffect, useState } from 'react';
+import { SupersetClient } from '@superset-ui/core';
+import { t } from '@apache-superset/core/translation';
+import { css, useTheme } from '@apache-superset/core/theme';
+import {
+ Button,
+ Table,
+ Modal,
+ Tag,
+ Tooltip,
+} from '@superset-ui/core/components';
+import { useToasts } from 'src/components/MessageToasts/withToasts';
+import { ApiKeyCreateModal } from './ApiKeyCreateModal';
+
+export interface ApiKey {
+ uuid: string;
+ name: string;
+ key_prefix: string;
+ active: boolean;
+ created_on: string;
+ expires_on: string | null;
+ revoked_on: string | null;
+ last_used_on: string | null;
+ scopes: string | null;
+}
+
+export function ApiKeyList() {
+ const theme = useTheme();
+ const { addDangerToast, addSuccessToast } = useToasts();
+ const [apiKeys, setApiKeys] = useState([]);
+ const [loading, setLoading] = useState(false);
+ const [showCreateModal, setShowCreateModal] = useState(false);
+
+ async function fetchApiKeys() {
+setLoading(true);
+try {
+ const response = await SupersetClient.get({
+endpoint: '/api/v1/security/api_keys/',
+ });
+ setApiKeys(response.json.result || []);
+} catch (error) {
+ addDangerToast(t('Failed to fetch API keys'));
+} finally {
+ setLoading(false);
+}
+ }
+
+ useEffect(() => {
+fetchApiKeys();
+// eslint-disable-next-line react-hooks/exhaustive-deps
+ }, []);
+
+ function handleRevokeKey(keyUuid: string) {
+Modal.confirm({
+ title: t('Revoke API Key'),
+ content: t(
+'Are you sure you want to revoke this API key? This action cannot be
undone.',
+ ),
+ okText: t('Revoke'),
+ okType: 'danger',
+ cancelText: t('Cancel'),
+ onOk: async () => {
+try {
+ await SupersetClient.delete({
+endpoint: `/api/v1/security/api_keys/${keyUuid}`,
+ });
+ addSuccessToast(t('API key revoked successfully'));
+ fetchApiKeys();
+} catch (error) {
+ addDangerToast(t('Failed to revoke API key'));
+}
+ },
+});
+ }
+
+ const formatDate = (dateString: string | null) => {
+if (!dateString) return '-';
+return new Date(dateString).toLocaleDateString(undefined, {
+ year: 'numeric',
+ month: 'short',
+ day: 'numeric',
+});
+ };
+
+ const getStatusBadge = (key: ApiKey) => {
+if (key.revoked_on) {
+ return {t('Revoked')};
+}
+if (key.expires_on && new Date(key.expires_on) < new Date()) {
+ return {t('Expired')};
+}
+return {t('Active')};
+ };
+
+ const columns = [
+{
+ title: t('Name'),
+ dataIndex: 'name',
+ key: 'name',
+},
+{
+ title: t('Key Prefix'),
+ dataIndex: 'key_prefix',
+ key: 'key_prefix',
+ render: (prefix: string) => (
+
+ {prefix}...
+
+ ),
+},
+{
+ title: t('Created'),
+ dataIndex: 'created_on',
+ key: 'created_on',
+ render: formatDate,
+},
+{
+ title: t('Last Used'),
+ dataIndex: 'last_used_on',
+ key: 'last_used_on',
+ render: formatDate,
+},
+{
+ title: t('Status'),
+ key: 'status',
+ render: (_: unknown, record: ApiKey) => getStatusBadge(record),
+},
+{
+ title: t('Actions'),
+ key: 'actions',
+ render: (_: unknown, record: ApiKey) => (
+<>
+ {!record.revoked_on && (
+
+ handleRevokeKey(record.uuid)}
+ >
+{t('Revoke')}
+
+
+ )}
+
+ ),
+},
+ ];
+
+ return (
+
+
+
+
+{t('API keys allow scoped programmatic access to Superset.')}
+
+
+{t('Keys are shown only once at creation. Store them securely.')}
+
+
+ setSho
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
codeant-ai-for-open-source[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4030141747 ## **Sequence Diagram** This PR adds UI and backend support for users to create and manage API keys, and wires Superset (including MCP tools) to authenticate requests by delegating API key validation to the Flask AppBuilder SecurityManager. ```mermaid sequenceDiagram participant User participant Frontend participant SupersetBackend participant FABSecurityManager participant MCPTool User->>Frontend: Open user info and choose create API key Frontend->>SupersetBackend: Request new API key SupersetBackend->>FABSecurityManager: Create and store API key for user FABSecurityManager-->>Frontend: Return one time API key via backend Frontend-->>User: Display API key for secure copy MCPTool->>SupersetBackend: Call MCP endpoint with bearer API key SupersetBackend->>FABSecurityManager: Validate API key and load user FABSecurityManager-->>SupersetBackend: Return authenticated user SupersetBackend-->>MCPTool: Execute MCP action with user permissions ``` --- *Generated by [CodeAnt AI](https://codeant.ai)* -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2908685452
##
superset/mcp_service/auth.py:
##
@@ -107,6 +116,33 @@ def get_user_from_request() -> User:
if hasattr(g, "user") and g.user:
return g.user
+# Try API key authentication via FAB SecurityManager
+# Only attempt when in a request context (not for MCP internal operations
+# like tool discovery that run with only an application context)
+# Avoid circular import: superset/__init__.py imports create_app which
+# depends on the MCP service module tree during app initialization.
+from superset import is_feature_enabled
+
+if is_feature_enabled("FAB_API_KEY_ENABLED") and has_request_context():
+sm = current_app.appbuilder.sm
+# _extract_api_key_from_request is FAB's internal method for reading
+# the Bearer token from the Authorization header and matching prefixes.
+# No public API is exposed for this; see FAB SecurityManager.
+api_key_string = sm._extract_api_key_from_request()
+if api_key_string is not None:
+user = sm.validate_api_key(api_key_string)
+if user:
+# Reload user with all relationships eagerly loaded to avoid
+# detached-instance errors during later permission checks.
+user_with_rels = load_user_with_relationships(
+username=user.username,
+)
+return user_with_rels or user
Review Comment:
API Key Auth Fallback Risk
The code falls back to the original user object if
load_user_with_relationships fails after API key validation, but this user may
not have relationships loaded, risking detached instance errors during
permission checks. It looks like raising an error instead ensures relationships
are always loaded as intended by the comment.
Code suggestion
Check the AI-generated fix before applying
suggestion
if user:
# Reload user with all relationships eagerly loaded to avoid
# detached-instance errors during later permission checks.
user_with_rels = load_user_with_relationships(
username=user.username,
)
if user_with_rels:
return user_with_rels
else:
raise ValueError(
"Failed to reload user with relationships after API
key validation."
)
Code Review Run #5e88a0
---
Should Bito avoid suggestions like this for future reviews? (https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules)
- [ ] Yes, avoid them
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4027697067 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2908319934
##
superset/migrations/versions/2026-02-14_12-00_f1a2b3c4d5e6_add_fab_api_key_table.py:
##
@@ -0,0 +1,73 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+"""add FAB api key table
+
+Revision ID: f1a2b3c4d5e6
+Revises: a1b2c3d4e5f6
+Create Date: 2026-02-14 12:00:00.00
+
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "f1a2b3c4d5e6"
+down_revision = "a1b2c3d4e5f6"
+
+
+def upgrade() -> None:
+"""Create ab_api_key table for FAB API key authentication.
+
+This table is managed by FAB's SecurityManager. For fresh installs,
+FAB's create_all() handles table creation. This migration ensures
+existing Superset installs get the table on upgrade.
+"""
+conn = op.get_bind()
+inspector = sa.inspect(conn)
+if "ab_api_key" in inspector.get_table_names():
+return
+
+op.create_table(
+"ab_api_key",
+sa.Column("id", sa.Integer(), nullable=False),
+sa.Column("uuid", sa.String(length=36), nullable=False),
+sa.Column("name", sa.String(length=256), nullable=False),
+sa.Column("key_hash", sa.String(length=256), nullable=False),
+sa.Column("key_prefix", sa.String(length=16), nullable=False),
+sa.Column("user_id", sa.Integer(), nullable=False),
+sa.Column("scopes", sa.Text(), nullable=True),
+sa.Column(
+"active", sa.Boolean(), nullable=False,
server_default=sa.text("true")
Review Comment:
Incorrect Boolean Default
The server_default for the 'active' column uses sa.text("true"), which may
not be correctly interpreted as a boolean true in all database dialects. Use
sa.true() for portability across databases like PostgreSQL, MySQL, and SQLite.
Code suggestion
Check the AI-generated fix before applying
suggestion
"active", sa.Boolean(), nullable=False, server_default=sa.true()
Code Review Run #482756
---
Should Bito avoid suggestions like this for future reviews? (https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules)
- [ ] Yes, avoid them
##
requirements/development.txt:
##
@@ -262,7 +262,7 @@ flask==2.3.3
# flask-sqlalchemy
# flask-testing
# flask-wtf
-flask-appbuilder==5.0.2
+flask-appbuilder @
git+https://github.com/aminghadersohi/Flask-AppBuilder@amin/ch99414/api-key-auth
Review Comment:
Unpinned Git Dependency
The git dependency references a branch that can change, potentially causing
non-reproducible builds. Pinning to the commit hash ensures consistent
installations.
Code suggestion
Check the AI-generated fix before applying
suggestion
flask-appbuilder @
git+https://github.com/aminghadersohi/Flask-AppBuilder@84e017b69e7d4984893a09b2776f814e42b65b82
Code Review Run #d57b0d
Breaking API Key Change
Updating FAB to this commit changes the API key lookup hash from BLAKE2b to
scrypt, which will invalidate all existing API keys since the stored
lookup_hash values won't match the new computation. This breaks authentication
for any users relying on API keys. A migration is required to update the
lookup_hash column for existing keys.
Code Review Run #b35d42
Autogenerated file edit
The requirements/development.txt file is autogenerated by uv pip compile, as
indicated by the header comment. Directly editing this file can lead to
inconsistencies when the file is regenerated. Instead, update the source files
(e.g., pyproject.toml or requirements/base.in) and regenerate the requirements.
Additionally, the constraint file requirements/base-constraint.txt referenced
in the autogeneration command does not exist, which would cause regeneration to
fail.
Code Review Run #4827
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4027260232 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4026865765 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4026088752 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2907098142
##
superset/migrations/versions/2026-02-14_12-00_f1a2b3c4d5e6_add_fab_api_key_table.py:
##
@@ -0,0 +1,71 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+"""add FAB api key table
+
+Revision ID: f1a2b3c4d5e6
+Revises: 4b2a8c9d3e1f
+Create Date: 2026-02-14 12:00:00.00
+
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "f1a2b3c4d5e6"
+down_revision = "4b2a8c9d3e1f"
+
+
+def upgrade():
+"""Create ab_api_key table for FAB API key authentication.
+
+This table is managed by FAB's SecurityManager. For fresh installs,
+FAB's create_all() handles table creation. This migration ensures
+existing Superset installs get the table on upgrade.
+"""
+conn = op.get_bind()
+inspector = sa.inspect(conn)
+if "ab_api_key" in inspector.get_table_names():
+return
+
+op.create_table(
+"ab_api_key",
+sa.Column("id", sa.Integer(), nullable=False),
+sa.Column("uuid", sa.String(length=36), nullable=False),
+sa.Column("name", sa.String(length=256), nullable=False),
+sa.Column("key_hash", sa.String(length=256), nullable=False),
+sa.Column("key_prefix", sa.String(length=16), nullable=False),
+sa.Column("user_id", sa.Integer(), nullable=False),
+sa.Column("scopes", sa.Text(), nullable=True),
+sa.Column("active", sa.Boolean(), nullable=False, server_default="1"),
Review Comment:
No, the suggestion isn't fully correct — changing to
`server_default=sa.text("true")` sets the default to a string value, which may
not be interpreted as Boolean true in all databases. Use `sa.true()` for proper
cross-database compatibility instead.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
aminghadersohi commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2907084894
##
superset/config.py:
##
@@ -1633,6 +1633,12 @@ def allowed_schemas_for_csv_upload( # pylint:
disable=unused-argument
FAB_ADD_SECURITY_VIEW_MENU_VIEW = False
FAB_ADD_SECURITY_PERMISSION_VIEWS_VIEW = False
+# API Key Authentication via FAB SecurityManager
+# When enabled, users can create API keys for programmatic access
+# Keys are validated by FAB's @protect() decorator automatically
+FAB_API_KEY_ENABLED = True
Review Comment:
Done — moved `FAB_API_KEY_ENABLED` from a standalone config into
`DEFAULT_FEATURE_FLAGS` with `False` as the default. This way it won't show up
unless explicitly enabled, and it follows the standard feature flag pattern
used across the codebase.
##
superset-frontend/src/pages/UserInfo/index.tsx:
##
@@ -205,6 +209,12 @@ export function UserInfo({ user }: { user:
UserWithPermissionsAndRoles }) {
+ {t('API Keys')}}
+key="apiKeys"
+ >
+
Review Comment:
Good call — created a `FAB_API_KEY_ENABLED` feature flag (added to both
`DEFAULT_FEATURE_FLAGS` in `config.py` and the `FeatureFlag` enum in
`featureFlags.ts`). The API Keys panel is now gated behind
`isFeatureEnabled(FeatureFlag.FabApiKeyEnabled)` so it only renders when the
flag is enabled.
##
superset/migrations/versions/2026-02-14_12-00_f1a2b3c4d5e6_add_fab_api_key_table.py:
##
@@ -0,0 +1,71 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+"""add FAB api key table
+
+Revision ID: f1a2b3c4d5e6
+Revises: 4b2a8c9d3e1f
+Create Date: 2026-02-14 12:00:00.00
+
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "f1a2b3c4d5e6"
+down_revision = "4b2a8c9d3e1f"
+
+
+def upgrade():
+"""Create ab_api_key table for FAB API key authentication.
+
+This table is managed by FAB's SecurityManager. For fresh installs,
+FAB's create_all() handles table creation. This migration ensures
+existing Superset installs get the table on upgrade.
+"""
+conn = op.get_bind()
+inspector = sa.inspect(conn)
+if "ab_api_key" in inspector.get_table_names():
+return
+
+op.create_table(
+"ab_api_key",
+sa.Column("id", sa.Integer(), nullable=False),
+sa.Column("uuid", sa.String(length=36), nullable=False),
+sa.Column("name", sa.String(length=256), nullable=False),
+sa.Column("key_hash", sa.String(length=256), nullable=False),
+sa.Column("key_prefix", sa.String(length=16), nullable=False),
+sa.Column("user_id", sa.Integer(), nullable=False),
+sa.Column("scopes", sa.Text(), nullable=True),
+sa.Column("active", sa.Boolean(), nullable=False, server_default="1"),
Review Comment:
Fixed — changed `server_default="1"` to `server_default=sa.text("true")` for
cross-database compatibility.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
eschutho commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2906553738
##
superset-frontend/src/pages/UserInfo/index.tsx:
##
@@ -205,6 +209,12 @@ export function UserInfo({ user }: { user:
UserWithPermissionsAndRoles }) {
+ {t('API Keys')}}
+key="apiKeys"
+ >
+
Review Comment:
Is this hidden with the config? Should we create a feature flag?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
eschutho commented on code in PR #37973: URL: https://github.com/apache/superset/pull/37973#discussion_r2906539599 ## superset/config.py: ## @@ -1633,6 +1633,12 @@ def allowed_schemas_for_csv_upload( # pylint: disable=unused-argument FAB_ADD_SECURITY_VIEW_MENU_VIEW = False FAB_ADD_SECURITY_PERMISSION_VIEWS_VIEW = False +# API Key Authentication via FAB SecurityManager +# When enabled, users can create API keys for programmatic access +# Keys are validated by FAB's @protect() decorator automatically +FAB_API_KEY_ENABLED = True Review Comment: maybe default to false so that this doesn't automatically show up in the next minor version -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
eschutho commented on code in PR #37973: URL: https://github.com/apache/superset/pull/37973#discussion_r2906539599 ## superset/config.py: ## @@ -1633,6 +1633,12 @@ def allowed_schemas_for_csv_upload( # pylint: disable=unused-argument FAB_ADD_SECURITY_VIEW_MENU_VIEW = False FAB_ADD_SECURITY_PERMISSION_VIEWS_VIEW = False +# API Key Authentication via FAB SecurityManager +# When enabled, users can create API keys for programmatic access +# Keys are validated by FAB's @protect() decorator automatically +FAB_API_KEY_ENABLED = True Review Comment: maybe default to false -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4011175088 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973: URL: https://github.com/apache/superset/pull/37973#discussion_r2894961305 ## requirements/development.txt: ## @@ -262,7 +262,7 @@ flask==2.3.3 # flask-sqlalchemy # flask-testing # flask-wtf -flask-appbuilder==5.0.2 +flask-appbuilder @ git+https://github.com/aminghadersohi/Flask-AppBuilder@amin/ch99414/api-key-auth Review Comment: The PR updates flask-appbuilder from 5.0.2 to 5.2.0 in requirements/base.txt and requirements/development.txt, reverting from a temporary git dependency on a fork to a standard PyPI version pin, as the upstream FAB PR 2431 changes are now released. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
aminghadersohi commented on code in PR #37973: URL: https://github.com/apache/superset/pull/37973#discussion_r2894952442 ## requirements/development.txt: ## @@ -262,7 +262,7 @@ flask==2.3.3 # flask-sqlalchemy # flask-testing # flask-wtf -flask-appbuilder==5.0.2 +flask-appbuilder @ git+https://github.com/aminghadersohi/Flask-AppBuilder@amin/ch99414/api-key-auth Review Comment: Acknowledged — the git dependency on the FAB fork is temporary during development. Once the upstream FAB PR (https://github.com/dpgaspar/Flask-AppBuilder/pull/2431) is merged and released to PyPI, this will be reverted to a standard version pin. The commit is now pinned for reproducible builds. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2891922240
##
superset/migrations/versions/2026-02-14_12-00_f1a2b3c4d5e6_add_fab_api_key_table.py:
##
@@ -0,0 +1,71 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+"""add FAB api key table
+
+Revision ID: f1a2b3c4d5e6
+Revises: 4b2a8c9d3e1f
+Create Date: 2026-02-14 12:00:00.00
+
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "f1a2b3c4d5e6"
+down_revision = "4b2a8c9d3e1f"
+
+
+def upgrade():
+"""Create ab_api_key table for FAB API key authentication.
+
+This table is managed by FAB's SecurityManager. For fresh installs,
+FAB's create_all() handles table creation. This migration ensures
+existing Superset installs get the table on upgrade.
+"""
+conn = op.get_bind()
+inspector = sa.inspect(conn)
+if "ab_api_key" in inspector.get_table_names():
+return
+
+op.create_table(
+"ab_api_key",
+sa.Column("id", sa.Integer(), nullable=False),
+sa.Column("uuid", sa.String(length=36), nullable=False),
+sa.Column("name", sa.String(length=256), nullable=False),
+sa.Column("key_hash", sa.String(length=256), nullable=False),
+sa.Column("key_prefix", sa.String(length=16), nullable=False),
+sa.Column("user_id", sa.Integer(), nullable=False),
+sa.Column("scopes", sa.Text(), nullable=True),
+sa.Column("active", sa.Boolean(), nullable=False, server_default="1"),
Review Comment:
Boolean server_default syntax error
The server_default for the active Boolean column uses "1" which is incorrect
for SQLAlchemy Boolean server defaults. Use sa.true() instead to ensure proper
database-level default handling across all supported databases.
Code suggestion
Check the AI-generated fix before applying
suggestion
sa.Column("active", sa.Boolean(), nullable=False,
server_default=sa.true()),
Code Review Run #97aa48
---
Should Bito avoid suggestions like this for future reviews? (https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules)
- [ ] Yes, avoid them
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4007126600 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2891560452
##
superset/mcp_service/auth.py:
##
@@ -127,8 +159,8 @@ def get_user_from_request() -> User:
raise ValueError(
"No authenticated user found. Tried:\n"
+ "\n".join(f" - {d}" for d in details)
-+ "\n\nEither pass a valid JWT bearer token or configure "
-"MCP_DEV_USERNAME for development."
++ "\n\nEither pass a valid API key (Bearer sst_...), "
+"JWT token, or configure MCP_DEV_USERNAME for development."
Review Comment:
Yes, the suggestion is valid — it makes the error message configurable by
dynamically reading the API key prefix from FAB_API_KEY_PREFIXES config instead
of hardcoding 'sst_'.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
aminghadersohi commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2891556588
##
superset/mcp_service/auth.py:
##
@@ -127,8 +159,8 @@ def get_user_from_request() -> User:
raise ValueError(
"No authenticated user found. Tried:\n"
+ "\n".join(f" - {d}" for d in details)
-+ "\n\nEither pass a valid JWT bearer token or configure "
-"MCP_DEV_USERNAME for development."
++ "\n\nEither pass a valid API key (Bearer sst_...), "
+"JWT token, or configure MCP_DEV_USERNAME for development."
Review Comment:
Fixed — the error message now reads the prefix dynamically from
`FAB_API_KEY_PREFIXES` config instead of hardcoding `"sst_"`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973: URL: https://github.com/apache/superset/pull/37973#discussion_r2891550406 ## superset-frontend/.nvmrc: ## @@ -1 +1 @@ -v20.18.3 +v22.22.0 Review Comment: The PR diff shows the .nvmrc file in superset-frontend being updated from v20.18.3 to v22.22.0 as part of this PR. You've clarified that this change originated from the merged PR #37223, and the Dockerfile consistency will be addressed in that Node upgrade effort. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
aminghadersohi commented on code in PR #37973: URL: https://github.com/apache/superset/pull/37973#discussion_r2891540899 ## superset-frontend/.nvmrc: ## @@ -1 +1 @@ -v20.18.3 +v22.22.0 Review Comment: This change comes from `feat\!: upgrade project's Node version to v22 (#37223)` which was merged to master — not part of this PR's changes. The Dockerfile consistency would be addressed as part of that Node upgrade effort. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973: URL: https://github.com/apache/superset/pull/37973#discussion_r2891420764 ## superset-frontend/.nvmrc: ## @@ -1 +1 @@ -v20.18.3 +v22.22.0 Review Comment: Node version inconsistency with CI The .nvmrc update to v22.22.0 aligns with package.json engines, but the Dockerfile still uses node:20-trixie-slim for CI. This could cause local builds to succeed on Node 22 while CI fails if Node 22-specific features are used. Update the Dockerfile to ensure consistency. Code Review Run #6934df --- Should Bito avoid suggestions like this for future reviews? (https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules) - [ ] Yes, avoid them -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4006581641 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
aminghadersohi closed pull request #37973: feat(api-keys): add API key authentication via FAB SecurityManager URL: https://github.com/apache/superset/pull/37973 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2891134305
##
tests/unit_tests/security/api_test.py:
##
@@ -29,6 +29,7 @@ def test_csrf_not_exempt(app_context: None) -> None:
Test that REST API is not exempt from CSRF.
"""
assert {blueprint.name for blueprint in csrf._exempt_blueprints} == {
+"ApiKeyApi",
Review Comment:
The change renames the test function from `test_csrf_not_exempt` to
`test_csrf_exempt_blueprints` and updates the docstring to correctly state that
it verifies CSRF exemption for FAB security API blueprints using token-based
authentication. This addresses the review feedback about the misleading
original name and description, which contradicted the test's actual assertion.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
aminghadersohi commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2891128899
##
tests/unit_tests/security/api_test.py:
##
@@ -29,6 +29,7 @@ def test_csrf_not_exempt(app_context: None) -> None:
Test that REST API is not exempt from CSRF.
"""
assert {blueprint.name for blueprint in csrf._exempt_blueprints} == {
+"ApiKeyApi",
Review Comment:
Fixed — renamed `test_csrf_not_exempt` to `test_csrf_exempt_blueprints` with
a docstring that accurately describes the assertion: verifying that only FAB
security API blueprints (which use token-based auth) are CSRF-exempt.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2888934717
##
tests/unit_tests/security/api_test.py:
##
@@ -29,6 +29,7 @@ def test_csrf_not_exempt(app_context: None) -> None:
Test that REST API is not exempt from CSRF.
"""
assert {blueprint.name for blueprint in csrf._exempt_blueprints} == {
+"ApiKeyApi",
Review Comment:
Test name/comment mismatch
The test function name 'test_csrf_not_exempt' and docstring claiming 'REST
API is not exempt from CSRF' contradict the code, which asserts that these API
blueprints (including the newly added 'ApiKeyApi') are exempt. This mismatch
could confuse maintainers. The code correctly verifies that API blueprints
using token-based auth are exempt from CSRF, as they don't rely on cookies.
Code Review Run #8d1294
---
Should Bito avoid suggestions like this for future reviews? (https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules)
- [ ] Yes, avoid them
##
superset/mcp_service/auth.py:
##
@@ -127,8 +159,8 @@ def get_user_from_request() -> User:
raise ValueError(
"No authenticated user found. Tried:\n"
+ "\n".join(f" - {d}" for d in details)
-+ "\n\nEither pass a valid JWT bearer token or configure "
-"MCP_DEV_USERNAME for development."
++ "\n\nEither pass a valid API key (Bearer sst_...), "
+"JWT token, or configure MCP_DEV_USERNAME for development."
Review Comment:
Configurable prefix not reflected in error
message
The error message hardcodes the default API key prefix 'sst_', but since
FAB_API_KEY_PREFIXES is configurable, the message should dynamically reflect
the actual configured prefixes to avoid misleading users who have customized
the prefix.
Code suggestion
Check the AI-generated fix before applying
```
-details.append("MCP_DEV_USERNAME is not configured")
-raise ValueError(
-"No authenticated user found. Tried:\\n"
-+ "\\n".join(f" - {d}" for d in details)
-+ "\\n\\nEither pass a valid API key (Bearer sst_...), "
-"JWT token, or configure MCP_DEV_USERNAME for development."
-)
+details.append("MCP_DEV_USERNAME is not configured")
+prefixes = current_app.config.get("FAB_API_KEY_PREFIXES", ["sst_"])
+raise ValueError(
-"No authenticated user found. Tried:\\n"
-+ "\\n".join(f" - {d}" for d in details)
-+ f"\\n\\nEither pass a valid API key (Bearer
{prefixes[0]}...), "
-"JWT token, or configure MCP_DEV_USERNAME for development."
-)
```
Code Review Run #8d1294
---
Should Bito avoid suggestions like this for future reviews? (https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules)
- [ ] Yes, avoid them
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4003704655 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973: URL: https://github.com/apache/superset/pull/37973#discussion_r2888472821 ## requirements/base.txt: ## @@ -120,7 +120,7 @@ flask==2.3.3 # flask-session # flask-sqlalchemy # flask-wtf -flask-appbuilder==5.0.2 +flask-appbuilder @ git+https://github.com/aminghadersohi/Flask-AppBuilder@amin/ch99414/api-key-auth Review Comment: This response acknowledges the supply chain risk of using the Flask-AppBuilder fork and commits to updating the PR once the upstream PR merges, addressing the temporary pin. It doesn't directly address the API key hashing change that may invalidate existing keys—if any exist. For a new feature, this might not be an issue. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
aminghadersohi commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2888465068
##
requirements/base.txt:
##
@@ -120,7 +120,7 @@ flask==2.3.3
# flask-session
# flask-sqlalchemy
# flask-wtf
-flask-appbuilder==5.0.2
+flask-appbuilder @
git+https://github.com/aminghadersohi/Flask-AppBuilder@amin/ch99414/api-key-auth
Review Comment:
Yes, the Flask-AppBuilder fork needs to be merged upstream first. I'll keep
this PR updated and ready to go once that lands.
##
superset-frontend/src/features/apiKeys/ApiKeyList.tsx:
##
@@ -0,0 +1,226 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import { useCallback, useEffect, useState } from 'react';
+import { SupersetClient } from '@superset-ui/core';
+import { t } from '@apache-superset/core';
+import { css, useTheme } from '@apache-superset/core/ui';
+import {
+ Button,
+ Table,
+ Modal,
+ Tag,
+ Tooltip,
+} from '@superset-ui/core/components';
+import { useToasts } from 'src/components/MessageToasts/withToasts';
+import { ApiKeyCreateModal } from './ApiKeyCreateModal';
+
+export interface ApiKey {
+ uuid: string;
+ name: string;
+ key_prefix: string;
+ active: boolean;
+ created_on: string;
+ expires_on: string | null;
+ revoked_on: string | null;
+ last_used_on: string | null;
+ scopes: string | null;
+}
+
+export function ApiKeyList() {
+ const theme = useTheme();
+ const { addDangerToast, addSuccessToast } = useToasts();
+ const [apiKeys, setApiKeys] = useState([]);
+ const [loading, setLoading] = useState(false);
+ const [showCreateModal, setShowCreateModal] = useState(false);
+
+ const fetchApiKeys = useCallback(async () => {
+setLoading(true);
+try {
+ const response = await SupersetClient.get({
+endpoint: '/api/v1/security/api_keys/',
+ });
+ setApiKeys(response.json.result || []);
+} catch (error) {
+ addDangerToast(t('Failed to fetch API keys'));
+} finally {
+ setLoading(false);
+}
+ }, [addDangerToast]);
+
+ useEffect(() => {
+fetchApiKeys();
+ }, [fetchApiKeys]);
Review Comment:
Good catch - the useEffect + useCallback pattern is used here to fetch data
on mount and re-fetch when dependencies change (e.g., after a delete
operation). But I can simplify this. Will clean up.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-4000598779 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
aminghadersohi commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-3998682965 > LGTM! I think you also need a code owner stamp though Thank you for your time doing the review. Much appreciated. Hope to be able to return the favor in the future. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973:
URL: https://github.com/apache/superset/pull/37973#issuecomment-3993099881
Code Review Agent Run #6c358d
Actionable Suggestions - 0
Additional Suggestions - 7
tests/unit_tests/security/api_test.py - 1
Potential CSRF vulnerability in API key management · https://github.com/apache/superset/pull/37973/files#diff-876bcb0d994908ea4eb6d4def7255fb7428fd99890722f659dc5c9695be41f15R32";>Line
32-32
The addition of 'ApiKeyApi' to the CSRF-exempt blueprints list may
introduce a security vulnerability. Since ApiKeyApi appears to be a REST API
for managing API keys (based on references in superset/mcp_service/auth.py to
'/api/v1/security/api_keys/' endpoints), exempting it from CSRF protection
could allow cross-site request forgery attacks to create or delete API keys. If
this API is accessed from web interfaces, it should remain protected by CSRF
tokens. Consider whether this exemption is truly necessary or if authentication
alone is sufficient.
superset/mcp_service/auth.py - 2
Inaccurate API key documentation · https://github.com/apache/superset/pull/37973/files#diff-420249c5b9da86711c69396a53af4d19834ba519dc9b027433aea3269121acf1R28";>Line
28-34
The docstring claims FAB's SecurityManager has validate_api_key() and
configurable prefixes, but these don't exist. The code also ignores
FAB_API_KEY_PREFIXES config.
Private member access without underscore prefix · https://github.com/apache/superset/pull/37973/files#diff-420249c5b9da86711c69396a53af4d19834ba519dc9b027433aea3269121acf1R127";>Line
127-127
The method `_extract_api_key_from_request` is private (prefixed with
underscore). Consider using a public API or adding a comment explaining why
private member access is necessary here.
Code suggestion
```diff
@@ -126,2 +126,3 @@
sm = current_app.appbuilder.sm
+# Note: Using private method as FAB doesn't expose public API for
key extraction
api_key_string = sm._extract_api_key_from_request()
```
superset-frontend/src/features/apiKeys/ApiKeyCreateModal.tsx - 4
Missing Return Type Annotation · https://github.com/apache/superset/pull/37973/files#diff-fbe138def9e34d59cafeef3267e17d19bc6c78eff986a53cc355e64cdd2509a1R41";>Line
41-41
Add explicit return type annotation ': JSX.Element' to the
ApiKeyCreateModal function declaration.
Missing Return Type Annotation · https://github.com/apache/superset/pull/37973/files#diff-fbe138def9e34d59cafeef3267e17d19bc6c78eff986a53cc355e64cdd2509a1R51";>Line
51-51
Add explicit return type annotation to handleFormSubmit function as per
BITO.md rule [7819] for improved type safety and consistency.
Code suggestion
```diff
@@ -1,1 +1,1 @@
- const handleFormSubmit = async (values: FormValues) => {
+ const handleFormSubmit = async (values: FormValues): Promise => {
```
Missing Return Type Annotation · https://github.com/apache/superset/pull/37973/files#diff-fbe138def9e34d59cafeef3267e17d19bc6c78eff986a53cc355e64cdd2509a1R64";>Line
64-64
Add explicit return type annotation to handleCopyKey function as per
BITO.md rule [7819] for improved type safety and consistency.
Code suggestion
```diff
@@ -1,1 +1,1 @@
- const handleCopyKey = async () => {
+ const handleCopyKey = async (): Promise => {
```
Missing Return Type Annotation · https://github.com/apache/superset/pull/37973/files#diff-fbe138def9e34d59cafeef3267e17d19bc6c78eff986a53cc355e64cdd2509a1R77";>Line
77-77
Add explicit return type annotation to handleClose function as per
BITO.md rule [7819] for improved type safety and consistency.
Review Details
Files reviewed - 9 · Commit Range: f73826f..047879a
requirements/base.txtrequirements/development.txtsuperset-frontend/src/features/apiKeys/ApiKeyCreateModal.tsxsuperset-frontend/src/features/apiKeys/ApiKeyList.tsxsuperset-frontend/src/pages/UserInfo/index.tsxsuperset/config.pysuperset/mcp_service/auth.pysuperset/migrations/versions/2026-02-14_12-00_f1a2b3c4d5e6_add_fab_api_key_table.pytests/unit_tests/security/api_test.py
Files skipped - 0
Tools
Whispers (Secret Scanner) - ✔︎
SuccessfulDetect-secrets (Secret Scanner) - ✔︎
SuccessfulMyPy (Static Code Analysis) - ✔︎
SuccessfulAstral Ruff (Static Code Analysis) - ✔︎
Successful
Bito Usage Guide
**Commands**
Type the followi
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-3986364433 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973: URL: https://github.com/apache/superset/pull/37973#discussion_r2819724917 ## requirements/development.txt: ## @@ -262,7 +262,7 @@ flask==2.3.3 # flask-sqlalchemy # flask-testing # flask-wtf -flask-appbuilder==5.0.2 +flask-appbuilder @ git+https://github.com/aminghadersohi/Flask-AppBuilder@amin/ch99414/api-key-auth Review Comment: Unpinned Git Dependency The git dependency references a branch that can change, potentially causing non-reproducible builds. Pinning to the commit hash ensures consistent installations. Code suggestion Check the AI-generated fix before applying suggestion flask-appbuilder @ git+https://github.com/aminghadersohi/Flask-AppBuilder@84e017b69e7d4984893a09b2776f814e42b65b82 Code Review Run #d57b0d Breaking API Key Change Updating FAB to this commit changes the API key lookup hash from BLAKE2b to scrypt, which will invalidate all existing API keys since the stored lookup_hash values won't match the new computation. This breaks authentication for any users relying on API keys. A migration is required to update the lookup_hash column for existing keys. Code Review Run #b35d42 --- Should Bito avoid suggestions like this for future reviews? (https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules) - [ ] Yes, avoid them -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-3937514282 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-3930168949 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-3929549739 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973: URL: https://github.com/apache/superset/pull/37973#discussion_r2806830490 ## requirements/base.txt: ## @@ -120,7 +120,7 @@ flask==2.3.3 # flask-session # flask-sqlalchemy # flask-wtf -flask-appbuilder==5.0.2 +flask-appbuilder @ git+https://github.com/aminghadersohi/Flask-AppBuilder@amin/ch99414/api-key-auth Review Comment: Supply Chain Security Risk Switching to a git dependency from a third-party fork introduces supply chain risks, as the branch can change unpredictably and the fork may not be vetted. Flask-AppBuilder is central to authentication and RBAC in Superset, so this could affect security if the fork has untrusted code. Consider using an official release or a pinned commit instead. Code Review Run #b5c2de API key hashing change may invalidate existing keys Updating to this commit changes API key hashing from SHA-256 to HMAC-SHA-256, which may invalidate existing keys. Since Superset uses FAB API keys, this could break authentication. A migration to re-hash keys might be needed. Code Review Run #3665ad --- Should Bito avoid suggestions like this for future reviews? (https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules) - [ ] Yes, avoid them -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-3928964641 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
aminghadersohi commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-3923421051 **Note on CI failures**: The 2 red checks (`check-python-deps` and `docker-build (lean)`) are expected and temporary. Both are caused by the git dependency on the [FAB feature branch](https://github.com/dpgaspar/Flask-AppBuilder/pull/2431): - `check-python-deps` — CI re-compiles from `pyproject.toml` and resolves to `flask-appbuilder==5.1.0` (PyPI), which doesn't match our git ref - `docker-build (lean)` — The lean Docker image doesn't have `git` installed, so it can't clone the git dependency Both will resolve once the FAB PR is merged and released to PyPI. All other 68 checks pass. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-3921558271 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
netlify[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-3921214632 ### ✅ Deploy Preview for *superset-docs-preview* ready! | Name | Link | |:-:|| |🔨 Latest commit | 3ca0b5621508f76145fd2db988c74e4eaf425988 | |🔍 Latest deploy log | https://app.netlify.com/projects/superset-docs-preview/deploys/6995cea43b065c0008325e07 | |😎 Deploy Preview | [https://deploy-preview-37973--superset-docs-preview.netlify.app](https://deploy-preview-37973--superset-docs-preview.netlify.app) | |📱 Preview on mobile | Toggle QR Code... _Use your smartphone camera to open QR code link._ | --- _To edit notification comments on pull requests, go to your [Netlify project configuration](https://app.netlify.com/projects/superset-docs-preview/configuration/notifications#deploy-notifications)._ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973: URL: https://github.com/apache/superset/pull/37973#discussion_r2822672393 ## requirements/development.txt: ## @@ -262,7 +262,7 @@ flask==2.3.3 # flask-sqlalchemy # flask-testing # flask-wtf -flask-appbuilder==5.0.2 +flask-appbuilder @ git+https://github.com/aminghadersohi/Flask-AppBuilder@amin/ch99414/api-key-auth Review Comment: This question isn’t related to the pull request. I can only help with questions about the PR’s code or comments. ## requirements/base.txt: ## @@ -120,7 +120,7 @@ flask==2.3.3 # flask-session # flask-sqlalchemy # flask-wtf -flask-appbuilder==5.0.2 +flask-appbuilder @ git+https://github.com/aminghadersohi/Flask-AppBuilder@amin/ch99414/api-key-auth Review Comment: This question isn’t related to the pull request. I can only help with questions about the PR’s code or comments. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
aminghadersohi commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2822670373
##
requirements/base.txt:
##
@@ -120,7 +120,7 @@ flask==2.3.3
# flask-session
# flask-sqlalchemy
# flask-wtf
-flask-appbuilder==5.0.2
+flask-appbuilder @
git+https://github.com/aminghadersohi/Flask-AppBuilder@amin/ch99414/api-key-auth
Review Comment:
Thanks for the review! Yes, absolutely — the FAB PR
(https://github.com/dpgaspar/Flask-AppBuilder/pull/2431) will be merged and
released first. Once it lands on PyPI, this will be reverted to a standard
version pin. The git reference is just for development/CI while both PRs are in
flight.
##
superset-frontend/src/features/apiKeys/ApiKeyList.tsx:
##
@@ -0,0 +1,226 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import { useCallback, useEffect, useState } from 'react';
+import { SupersetClient } from '@superset-ui/core';
+import { t } from '@apache-superset/core';
+import { css, useTheme } from '@apache-superset/core/ui';
+import {
+ Button,
+ Table,
+ Modal,
+ Tag,
+ Tooltip,
+} from '@superset-ui/core/components';
+import { useToasts } from 'src/components/MessageToasts/withToasts';
+import { ApiKeyCreateModal } from './ApiKeyCreateModal';
+
+export interface ApiKey {
+ uuid: string;
+ name: string;
+ key_prefix: string;
+ active: boolean;
+ created_on: string;
+ expires_on: string | null;
+ revoked_on: string | null;
+ last_used_on: string | null;
+ scopes: string | null;
+}
+
+export function ApiKeyList() {
+ const theme = useTheme();
+ const { addDangerToast, addSuccessToast } = useToasts();
+ const [apiKeys, setApiKeys] = useState([]);
+ const [loading, setLoading] = useState(false);
+ const [showCreateModal, setShowCreateModal] = useState(false);
+
+ const fetchApiKeys = useCallback(async () => {
+setLoading(true);
+try {
+ const response = await SupersetClient.get({
+endpoint: '/api/v1/security/api_keys/',
+ });
+ setApiKeys(response.json.result || []);
+} catch (error) {
+ addDangerToast(t('Failed to fetch API keys'));
+} finally {
+ setLoading(false);
+}
+ }, [addDangerToast]);
+
+ useEffect(() => {
+fetchApiKeys();
+ }, [fetchApiKeys]);
Review Comment:
Good question\! Yes, the `useEffect` is needed here — it triggers the
initial data fetch when the component mounts. Without it, the API keys list
would never load. Since `fetchApiKeys` is an async side effect (API call), it
can't be called directly during render — `useEffect` is the standard React
pattern for this. The `fetchApiKeys` callback is stable (wrapped in
`useCallback`), so this effectively just fires once on mount.
##
requirements/development.txt:
##
@@ -262,7 +262,7 @@ flask==2.3.3
# flask-sqlalchemy
# flask-testing
# flask-wtf
-flask-appbuilder==5.0.2
+flask-appbuilder @
git+https://github.com/aminghadersohi/Flask-AppBuilder@amin/ch99414/api-key-auth
Review Comment:
Good call — pinned to commit `84e017b` for reproducible builds.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973: URL: https://github.com/apache/superset/pull/37973#discussion_r2821550502 ## requirements/base.txt: ## @@ -120,7 +120,7 @@ flask==2.3.3 # flask-session # flask-sqlalchemy # flask-wtf -flask-appbuilder==5.0.2 +flask-appbuilder @ git+https://github.com/aminghadersohi/Flask-AppBuilder@amin/ch99414/api-key-auth Review Comment: This question isn’t related to the pull request. I can only help with questions about the PR’s code or comments. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
msyavuz commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2821517427
##
requirements/base.txt:
##
@@ -120,7 +120,7 @@ flask==2.3.3
# flask-session
# flask-sqlalchemy
# flask-wtf
-flask-appbuilder==5.0.2
+flask-appbuilder @
git+https://github.com/aminghadersohi/Flask-AppBuilder@amin/ch99414/api-key-auth
Review Comment:
Should we push to get that pr merged first?
##
superset-frontend/src/features/apiKeys/ApiKeyList.tsx:
##
@@ -0,0 +1,226 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import { useCallback, useEffect, useState } from 'react';
+import { SupersetClient } from '@superset-ui/core';
+import { t } from '@apache-superset/core';
+import { css, useTheme } from '@apache-superset/core/ui';
+import {
+ Button,
+ Table,
+ Modal,
+ Tag,
+ Tooltip,
+} from '@superset-ui/core/components';
+import { useToasts } from 'src/components/MessageToasts/withToasts';
+import { ApiKeyCreateModal } from './ApiKeyCreateModal';
+
+export interface ApiKey {
+ uuid: string;
+ name: string;
+ key_prefix: string;
+ active: boolean;
+ created_on: string;
+ expires_on: string | null;
+ revoked_on: string | null;
+ last_used_on: string | null;
+ scopes: string | null;
+}
+
+export function ApiKeyList() {
+ const theme = useTheme();
+ const { addDangerToast, addSuccessToast } = useToasts();
+ const [apiKeys, setApiKeys] = useState([]);
+ const [loading, setLoading] = useState(false);
+ const [showCreateModal, setShowCreateModal] = useState(false);
+
+ const fetchApiKeys = useCallback(async () => {
+setLoading(true);
+try {
+ const response = await SupersetClient.get({
+endpoint: '/api/v1/security/api_keys/',
+ });
+ setApiKeys(response.json.result || []);
+} catch (error) {
+ addDangerToast(t('Failed to fetch API keys'));
+} finally {
+ setLoading(false);
+}
+ }, [addDangerToast]);
+
+ useEffect(() => {
+fetchApiKeys();
+ }, [fetchApiKeys]);
Review Comment:
Do we need the effect here?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973: URL: https://github.com/apache/superset/pull/37973#discussion_r2819724917 ## requirements/development.txt: ## @@ -262,7 +262,7 @@ flask==2.3.3 # flask-sqlalchemy # flask-testing # flask-wtf -flask-appbuilder==5.0.2 +flask-appbuilder @ git+https://github.com/aminghadersohi/Flask-AppBuilder@amin/ch99414/api-key-auth Review Comment: Unpinned Git Dependency The git dependency references a branch that can change, potentially causing non-reproducible builds. Pinning to the commit hash ensures consistent installations. Code suggestion Check the AI-generated fix before applying suggestion flask-appbuilder @ git+https://github.com/aminghadersohi/Flask-AppBuilder@84e017b69e7d4984893a09b2776f814e42b65b82 Code Review Run #d57b0d --- Should Bito avoid suggestions like this for future reviews? (https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules) - [ ] Yes, avoid them ## requirements/development.txt: ## @@ -262,7 +262,7 @@ flask==2.3.3 # flask-sqlalchemy # flask-testing # flask-wtf -flask-appbuilder==5.0.2 +flask-appbuilder @ git+https://github.com/aminghadersohi/Flask-AppBuilder@amin/ch99414/api-key-auth Review Comment: Dependency from Personal Fork Using a dependency from a personal GitHub fork may introduce security risks and maintenance overhead. Since the official Flask-AppBuilder does not support API key authentication, ensure this fork is necessary and consider upstreaming the changes. Code Review Run #d57b0d --- Should Bito avoid suggestions like this for future reviews? (https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules) - [ ] Yes, avoid them -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-3917691321 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
aminghadersohi commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2819542792
##
superset/mcp_service/auth.py:
##
@@ -107,14 +116,32 @@ def get_user_from_request() -> User:
if hasattr(g, "user") and g.user:
return g.user
+# Try API key authentication via FAB SecurityManager
+# Only attempt when in a request context (not for MCP internal operations
+# like tool discovery that run with only an application context)
+from flask import has_request_context
+
+api_key_enabled = current_app.config.get("FAB_API_KEY_ENABLED", False)
+if api_key_enabled and has_request_context():
+sm = current_app.appbuilder.sm
+api_key_string = sm._extract_api_key_from_request()
+if api_key_string is not None:
+user = sm.validate_api_key(api_key_string)
+if user:
+return user
Review Comment:
Good catch — this is a valid concern. The user from `validate_api_key()` may
have lazily loaded relationships, which can cause `DetachedInstanceError` if
the session is rolled back later during MCP tool execution.
Fixed by reloading the user via `load_user_with_relationships()` after
successful API key validation, consistent with how the `MCP_DEV_USERNAME`
fallback path already handles this.
##
tests/unit_tests/security/api_test.py:
##
@@ -29,6 +29,7 @@ def test_csrf_not_exempt(app_context: None) -> None:
Test that REST API is not exempt from CSRF.
"""
assert {blueprint.name for blueprint in csrf._exempt_blueprints} == {
+"ApiKeyApi",
Review Comment:
Thanks for flagging this. The CSRF exemption for `ApiKeyApi` is set by FAB
itself — all FAB security API blueprints (`SecurityApi`, `MenuApi`,
`PermissionApi`, etc.) are registered as CSRF-exempt by FAB's
`register_views()` method. This is consistent behavior across the framework.
The CSRF risk is mitigated because:
1. The API key endpoints require JWT Bearer token auth via `@protect()` — a
cross-site request from a browser wouldn't include a valid JWT
2. Session cookies alone are insufficient to access these endpoints
3. The exemption pattern matches all other FAB security APIs already in
production
If we want to change this behavior, it would need to be addressed in FAB
itself (not Superset), since FAB controls how its blueprints are registered.
For now, the test documents the actual state. Happy to open a separate FAB
issue to evaluate adding CSRF protection to security API blueprints if the
community thinks it's warranted.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
codeant-ai-for-open-source[bot] commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2819473419
##
superset/mcp_service/auth.py:
##
@@ -107,14 +116,32 @@ def get_user_from_request() -> User:
if hasattr(g, "user") and g.user:
return g.user
+# Try API key authentication via FAB SecurityManager
+# Only attempt when in a request context (not for MCP internal operations
+# like tool discovery that run with only an application context)
+from flask import has_request_context
+
+api_key_enabled = current_app.config.get("FAB_API_KEY_ENABLED", False)
+if api_key_enabled and has_request_context():
+sm = current_app.appbuilder.sm
+api_key_string = sm._extract_api_key_from_request()
+if api_key_string is not None:
+user = sm.validate_api_key(api_key_string)
+if user:
+return user
Review Comment:
**Suggestion:** When authenticating via API key, the user object returned by
the security manager is used directly without going through the
`load_user_with_relationships` helper, so nested relationships like
`Group.roles` may remain lazily loaded and cause detached-instance errors once
the session is closed or rolled back, which is exactly what the helper is meant
to prevent. Reload the user via `load_user_with_relationships` after successful
API key validation so all required relationships are eagerly loaded before MCP
tools run permission checks. [logic error]
Severity Level: Major ⚠️
```mdx
- ❌ MCP tools may crash for API-key-authenticated requests.
- ❌ Permission checks can fail with DetachedInstanceError.
- ⚠️ API-key-based MCP automation becomes unreliable under errors.
- ⚠️ Debugging intermittent auth failures becomes significantly harder.
```
```suggestion
# Reload user with all relationships eagerly loaded to avoid
# detached-instance errors during later permission checks.
user_with_relationships = load_user_with_relationships(
username=user.username,
email=user.email,
)
return user_with_relationships or user
```
Steps of Reproduction ✅
```mdx
1. An MCP tool function is decorated with `mcp_auth_hook` defined in
`superset/mcp_service/auth.py` (see wrapper starting around line 176 in the
final file).
2. The tool is invoked over HTTP with `Authorization: Bearer sst_...` while
`FAB_API_KEY_ENABLED` is True and the call is in a Flask request context, so
`_setup_user_context()` (around line 120) calls `get_user_from_request()`
(around line
88).
3. Inside `get_user_from_request()` at lines 124–135, the code executes
`sm.validate_api_key(api_key_string)` and returns the resulting `user`
directly, without
using `load_user_with_relationships()` (defined earlier in the same file) to
eagerly load
`roles`, `groups`, and `Group.roles`.
4. Later in the same MCP call, permission logic (e.g. via
`has_dataset_access()` at line
152 which uses `security_manager.can_access_datasource(datasource=dataset)`
and relies on
`g.user`'s relationships) runs after the SQLAlchemy session has been rolled
back by
`_cleanup_session_on_error()` at line 212 or by other Superset DB lifecycle
code, causing
a `DetachedInstanceError` when lazy-loading `user.groups` or `group.roles`
from the user
obtained via the API key path. The explicit helper
`load_user_with_relationships()` exists
to avoid exactly these detached-instance errors, but is currently bypassed
for
API-key-authenticated users.
```
Prompt for AI Agent 🤖
```mdx
This is a comment left during a code review.
**Path:** superset/mcp_service/auth.py
**Line:** 131:131
**Comment:**
*Logic Error: When authenticating via API key, the user object returned
by the security manager is used directly without going through the
`load_user_with_relationships` helper, so nested relationships like
`Group.roles` may remain lazily loaded and cause detached-instance errors once
the session is closed or rolled back, which is exactly what the helper is meant
to prevent. Reload the user via `load_user_with_relationships` after successful
API key validation so all required relationships are eagerly loaded before MCP
tools run permission checks.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
```
👍
| 👎
##
tests/unit_tests/security/api_test.py:
##
@@ -29,6 +29,7 @@ def test_csrf_not_exempt(app_context: None) -> None:
Test that REST API is not exempt from CSRF.
"""
assert {blueprint.name for blueprint in csrf._exempt_blueprints} == {
+"ApiKeyApi",
Review Comment:
**S
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-3900935543 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-3900608725 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). Bito Usage Guide **Commands** Type the following command in the pull request comment and save the comment. - `/review` - Manually triggers a full AI review. - `/pause` - Pauses automatic reviews on this pull request. - `/resume` - Resumes automatic reviews. - `/resolve` - Marks all Bito-posted review comments as resolved. - `/abort` - Cancels all in-progress reviews. Refer to the https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/available-commands"; target="_blank" rel="noopener noreferrer">documentation for additional commands. **Configuration** This repository uses `Superset` You can customize the agent settings https://alpha.bito.ai/home/ai-agents/code-review-agent"; target="_blank" rel="noopener noreferrer">here or contact your Bito workspace admin at [email protected]. **Documentation & Help** - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/getting-started/install-run-using-bito-cloud/create-or-customize-an-agent-instance"; target="_blank" rel="noopener noreferrer">Customize agent settings - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/implementing-custom-code-review-rules"; target="_blank" rel="noopener noreferrer">Review rules - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent"; target="_blank" rel="noopener noreferrer">General documentation - https://docs.bito.ai/bito-dev-agents/ai-code-review-agent/faqs"; target="_blank" rel="noopener noreferrer">FAQ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
aminghadersohi commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-3900609538 Addressed all review feedback in d65327189a: **Fixed:** - **Clipboard error handling** (CodeAnt): `handleCopyKey` is now `async` with `try/catch` — shows a danger toast on clipboard failure instead of silently showing "Copied!" on an unhandled promise rejection. - **`has_request_context()` guard** (CodeAnt): API key extraction now only runs when there's an actual HTTP request context, preventing `RuntimeError` in MCP internal operations (tool discovery, etc.) that run with only an application context. - **`handleClose` ordering** (Bito): Moved `onSuccess()` call before state clearing. While React closures mean the original code wasn't technically buggy (`createdKey` retains its value in the closure), the new ordering is clearer about intent. - **antd Tag components** (Bito): Replaced custom styled `` elements with antd `` components for status badges, following Superset's convention of preferring antd components over custom CSS. **Acknowledged (no change needed):** - **Supply chain risk** (Bito): The git URL dependency on FAB is temporary during development. Will revert to a standard PyPI version pin once [FAB PR #2431](https://github.com/dpgaspar/Flask-AppBuilder/pull/2431) is merged and released. - **Truncate key prefix** (Bito): The `key_prefix` column is already limited to 16 chars in the database schema, so no truncation is needed in the UI. - **Specify locale** (Bito): Using `undefined` locale in `toLocaleDateString()` is intentional — it uses the user's browser locale, which is the correct behavior for an internationalized application. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973: URL: https://github.com/apache/superset/pull/37973#discussion_r2806883357 ## requirements/base.txt: ## @@ -120,7 +120,7 @@ flask==2.3.3 # flask-session # flask-sqlalchemy # flask-wtf -flask-appbuilder==5.0.2 +flask-appbuilder @ git+https://github.com/aminghadersohi/Flask-AppBuilder@amin/ch99414/api-key-auth Review Comment: The change pins flask-appbuilder to a development branch temporarily, to be reverted to a standard version pin after the upstream PR merges and releases. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
aminghadersohi commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2806881931
##
superset-frontend/src/features/apiKeys/ApiKeyCreateModal.tsx:
##
@@ -0,0 +1,150 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import { useState } from 'react';
+import { SupersetClient, t } from '@superset-ui/core';
+import { css, useTheme, Alert } from '@apache-superset/core/ui';
+import {
+ FormModal,
+ FormItem,
+ Input,
+ Button,
+} from '@superset-ui/core/components';
+import { useToasts } from 'src/components/MessageToasts/withToasts';
+
+interface ApiKeyCreateModalProps {
+ show: boolean;
+ onHide: () => void;
+ onSuccess: () => void;
+}
+
+interface FormValues {
+ name: string;
+}
+
+export function ApiKeyCreateModal({
+ show,
+ onHide,
+ onSuccess,
+}: ApiKeyCreateModalProps) {
+ const theme = useTheme();
+ const { addDangerToast, addSuccessToast } = useToasts();
+ const [createdKey, setCreatedKey] = useState(null);
+ const [copied, setCopied] = useState(false);
+
+ const handleFormSubmit = async (values: FormValues) => {
+try {
+ const response = await SupersetClient.post({
+endpoint: '/api/v1/security/api_keys/',
+jsonPayload: values,
+ });
+ setCreatedKey(response.json.result.key);
+ addSuccessToast(t('API key created successfully'));
+} catch (error) {
+ addDangerToast(t('Failed to create API key'));
+}
+ };
+
+ const handleCopyKey = () => {
+if (createdKey) {
+ navigator.clipboard.writeText(createdKey);
+ setCopied(true);
+ setTimeout(() => setCopied(false), 2000);
Review Comment:
Good catch — the clipboard write is async and should be awaited with error
handling. Fixed in d65327189a: `handleCopyKey` is now `async`, awaits the
clipboard write, and shows a danger toast on failure instead of silently
swallowing the rejected promise.
##
superset/mcp_service/auth.py:
##
@@ -107,14 +116,28 @@ def get_user_from_request() -> User:
if hasattr(g, "user") and g.user:
return g.user
+# Try API key authentication via FAB SecurityManager
+api_key_enabled = current_app.config.get("FAB_API_KEY_ENABLED", False)
+if api_key_enabled:
Review Comment:
Valid point — when MCP tools run with only an application context (no HTTP
request), `_extract_api_key_from_request()` would hit a RuntimeError trying to
access `flask.request`. Fixed in d65327189a by guarding with
`has_request_context()` so API key auth is only attempted when there's an
actual HTTP request.
##
requirements/base.txt:
##
@@ -120,7 +120,7 @@ flask==2.3.3
# flask-session
# flask-sqlalchemy
# flask-wtf
-flask-appbuilder==5.0.2
+flask-appbuilder @
git+https://github.com/aminghadersohi/Flask-AppBuilder@amin/ch99414/api-key-auth
Review Comment:
Acknowledged — this is a temporary pin to the FAB feature branch during
development. Once the FAB PR
(https://github.com/dpgaspar/Flask-AppBuilder/pull/2431) is merged and released
to PyPI, this will be reverted to a standard version pin (e.g.,
`flask-appbuilder>=5.2.0`).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
-
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on code in PR #37973: URL: https://github.com/apache/superset/pull/37973#discussion_r2806830490 ## requirements/base.txt: ## @@ -120,7 +120,7 @@ flask==2.3.3 # flask-session # flask-sqlalchemy # flask-wtf -flask-appbuilder==5.0.2 +flask-appbuilder @ git+https://github.com/aminghadersohi/Flask-AppBuilder@amin/ch99414/api-key-auth Review Comment: Supply Chain Security Risk Switching to a git dependency from a third-party fork introduces supply chain risks, as the branch can change unpredictably and the fork may not be vetted. Flask-AppBuilder is central to authentication and RBAC in Superset, so this could affect security if the fork has untrusted code. Consider using an official release or a pinned commit instead. Code Review Run #b5c2de --- Should Bito avoid suggestions like this for future reviews? (https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules) - [ ] Yes, avoid them -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
codecov[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-3900502940 ## [Codecov](https://app.codecov.io/gh/apache/superset/pull/37973?dropdown=coverage&src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) Report :x: Patch coverage is `18.18182%` with `9 lines` in your changes missing coverage. Please review. :white_check_mark: Project coverage is 64.86%. Comparing base ([`76d897e`](https://app.codecov.io/gh/apache/superset/commit/76d897eaa2f9e137102bc194c2e3109c29d0348f?dropdown=coverage&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache)) to head ([`c2d4245`](https://app.codecov.io/gh/apache/superset/commit/c2d4245bb6b7ad31e7cfde2d1d2398d243e0f17a?dropdown=coverage&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache)). :warning: Report is 3749 commits behind head on master. | [Files with missing lines](https://app.codecov.io/gh/apache/superset/pull/37973?dropdown=coverage&src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) | Patch % | Lines | |---|---|---| | [superset/mcp\_service/auth.py](https://app.codecov.io/gh/apache/superset/pull/37973?src=pr&el=tree&filepath=superset%2Fmcp_service%2Fauth.py&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache#diff-c3VwZXJzZXQvbWNwX3NlcnZpY2UvYXV0aC5weQ==) | 0.00% | [9 Missing :warning: ](https://app.codecov.io/gh/apache/superset/pull/37973?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) | Additional details and impacted files ```diff @@Coverage Diff @@ ## master #37973 +/- ## == + Coverage 60.48% 64.86% +4.37% == Files1931 668-1263 Lines 7623651333 -24903 Branches 8568 5779-2789 == - Hits4611433296 -12818 + Misses 2801716635 -11382 + Partials 2105 1402 -703 ``` | [Flag](https://app.codecov.io/gh/apache/superset/pull/37973/flags?src=pr&el=flags&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) | Coverage Δ | | |---|---|---| | [hive](https://app.codecov.io/gh/apache/superset/pull/37973/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) | `41.47% <18.18%> (-7.69%)` | :arrow_down: | | [javascript](https://app.codecov.io/gh/apache/superset/pull/37973/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) | `?` | | | [postgres](https://app.codecov.io/gh/apache/superset/pull/37973/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) | `64.59% <18.18%> (?)` | | | [presto](https://app.codecov.io/gh/apache/superset/pull/37973/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) | `41.48% <18.18%> (-12.32%)` | :arrow_down: | | [python](https://app.codecov.io/gh/apache/superset/pull/37973/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) | `64.84% <18.18%> (+1.33%)` | :arrow_up: | | [sqlite](https://app.codecov.io/gh/apache/superset/pull/37973/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) | `64.19% <18.18%> (?)` | | | [unit](https://app.codecov.io/gh/apache/superset/pull/37973/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) | `?` | | Flags with carried forward coverage won't be shown. [Click here](https://docs.codecov.io/docs/carryforward-flags?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache#carryforward-flags-in-the-pull-request-comment) to find out more. [:umbrella: View full report in Codecov by Sentry](https://app.codecov.io/gh/apache/superset/pull/37973?dropdown=coverage&src=pr&el=continue&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache). :loudspeaker: Have feedback on the report? [Share it here](https://about.codecov.io/codecov-pr-comment-feedback/?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache). :rocket: New features to boost your workflow:
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
codeant-ai-for-open-source[bot] commented on code in PR #37973:
URL: https://github.com/apache/superset/pull/37973#discussion_r2806810158
##
superset/mcp_service/auth.py:
##
@@ -107,14 +116,28 @@ def get_user_from_request() -> User:
if hasattr(g, "user") and g.user:
return g.user
+# Try API key authentication via FAB SecurityManager
+api_key_enabled = current_app.config.get("FAB_API_KEY_ENABLED", False)
+if api_key_enabled:
Review Comment:
**Suggestion:** The API key extraction unconditionally calls a helper that
likely relies on a Flask request context; when MCP tools run with only an
application context (as mcp_auth_hook does for internal/non-HTTP operations),
this will raise a RuntimeError ("working outside of request context") instead
of gracefully skipping API-key auth, breaking flows that previously worked when
API keys are enabled. [logic error]
Severity Level: Critical 🚨
```mdx
- ❌ MCP tools crash when FAB_API_KEY_ENABLED is enabled.
- ❌ FastMCP internal operations fail with RuntimeError, breaking tooling.
- ⚠️ Development flows without HTTP requests become unusable.
```
```suggestion
from flask import has_request_context
# Try API key authentication via FAB SecurityManager
api_key_enabled = current_app.config.get("FAB_API_KEY_ENABLED", False)
if api_key_enabled and has_request_context():
```
Steps of Reproduction ✅
```mdx
1. Enable FAB API key auth by setting `FAB_API_KEY_ENABLED = True` in
`superset_config.py`, causing the API-key branch in `get_user_from_request()`
(`superset/mcp_service/auth.py:119-131`) to execute.
2. Start the standalone MCP server which wraps tools with `mcp_auth_hook()`
(defined in
`superset/mcp_service/auth.py`) so that each tool call enters
`_setup_user_context()` and
then `get_user_from_request()` inside a Flask *application* context only.
3. Trigger an MCP operation that is not handling an HTTP request (e.g.,
FastMCP tool
discovery or background invocation), so
`mcp_auth_hook._get_app_context_manager()` pushes
`app.app_context()` but no request context is created (no
`test_request_context()` or view
handling).
4. During this call, `get_user_from_request()` reaches the API-key block and
calls
`sm._extract_api_key_from_request()` at line 123, which accesses
`flask.request` and
raises `RuntimeError("Working outside of request context")`; this bubbles
out of
`_setup_user_context()` (which only treats "application context" errors as
expected) and
crashes the MCP tool execution instead of falling back to `MCP_DEV_USERNAME`
or returning
`None` for internal calls.
```
Prompt for AI Agent 🤖
```mdx
This is a comment left during a code review.
**Path:** superset/mcp_service/auth.py
**Line:** 119:121
**Comment:**
*Logic Error: The API key extraction unconditionally calls a helper
that likely relies on a Flask request context; when MCP tools run with only an
application context (as mcp_auth_hook does for internal/non-HTTP operations),
this will raise a RuntimeError ("working outside of request context") instead
of gracefully skipping API-key auth, breaking flows that previously worked when
API keys are enabled.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
```
👍
| 👎
##
superset-frontend/src/features/apiKeys/ApiKeyCreateModal.tsx:
##
@@ -0,0 +1,150 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import { useState } from 'react';
+import { SupersetClient, t } from '@superset-ui/core';
+import { css, useTheme, Alert } from '@apache-superset/core/ui';
+import {
+ FormModal,
+ FormItem,
+ Input,
+ Button,
+} from '@superset-ui/core/components';
+import { useToasts } from 'src/components/MessageToasts/withToasts';
+
+interface ApiKeyCreateModalProps {
+ show: boolean;
+ onHide: () => void;
+ onSuccess: () => void;
+}
+
+interface FormValues {
+ name: string;
+}
+
+export function ApiKeyCreateModal({
+ show,
+ on
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
aminghadersohi closed pull request #36173: feat(api-keys): add API key authentication via FAB SecurityManager URL: https://github.com/apache/superset/pull/36173 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
aminghadersohi commented on PR #36173: URL: https://github.com/apache/superset/pull/36173#issuecomment-3900472631 Superseded by #37973 - fresh branch based on current master with cleaner implementation delegating to FAB SecurityManager. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
bito-code-review[bot] commented on PR #37973: URL: https://github.com/apache/superset/pull/37973#issuecomment-3900472551 AI Code Review is in progress (usually takes 3 to 15 minutes unless it's a very large PR). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] feat(api-keys): add API key authentication via FAB SecurityManager [superset]
netlify[bot] commented on PR #36173: URL: https://github.com/apache/superset/pull/36173#issuecomment-3900401200 ### ✅ Deploy Preview for *superset-docs-preview* ready! | Name | Link | |:-:|| |🔨 Latest commit | e0d70cef51b692c4e3d8fb2c0bb119fc1885a333 | |🔍 Latest deploy log | https://app.netlify.com/projects/superset-docs-preview/deploys/698fd0c2128eb300084a55e4 | |😎 Deploy Preview | [https://deploy-preview-36173--superset-docs-preview.netlify.app](https://deploy-preview-36173--superset-docs-preview.netlify.app) | |📱 Preview on mobile | Toggle QR Code... _Use your smartphone camera to open QR code link._ | --- _To edit notification comments on pull requests, go to your [Netlify project configuration](https://app.netlify.com/projects/superset-docs-preview/configuration/notifications#deploy-notifications)._ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
