QT/superset2
1
0
Fork 0
mirror of https://github.com/apache/superset.git synced 2026-05-25 09:45:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(mcp): hoist API key auth imports to module top

Browse Source 
The API_KEY_PASSTHROUGH_CLAIM constant in auth.py and CompositeTokenVerifier
in mcp_config.py have no circular-import or optional-dependency reason to
be imported inline. Moved them to module top.
This commit is contained in:
Amin Ghadersohi
2026-05-08 14:36:16 -04:00
parent 76ad5e1bf7
commit 9ece5f42d7
2 changed files with 3 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
superset/mcp_service/auth.py
View File

@@ -51,6 +51,8 @@ from typing import Any, Callable, TYPE_CHECKING, TypeVar
from flask import g, has_request_context
from flask_appbuilder.security.sqla.models import Group, User
from superset.mcp_service.composite_token_verifier import API_KEY_PASSTHROUGH_CLAIM
if TYPE_CHECKING:
from superset.connectors.sqla.models import SqlaTable
from superset.mcp_service.chart.chart_utils import DatasetValidationResult
@@ -221,10 +223,6 @@ def _resolve_user_from_jwt_context(app: Any) -> User | None:
# API key pass-through: CompositeTokenVerifier accepted this token
# at the transport layer but defers actual validation to
# _resolve_user_from_api_key() (priority 2 in get_user_from_request).
from superset.mcp_service.composite_token_verifier import (
API_KEY_PASSTHROUGH_CLAIM,
)
claims = getattr(access_token, "claims", None)
if isinstance(claims, dict) and claims.get(API_KEY_PASSTHROUGH_CLAIM):
logger.debug("API key pass-through token detected, deferring to API key auth")
@@ -294,10 +292,6 @@ def _resolve_user_from_api_key(app: Any) -> User | None:
# Only validate tokens that the CompositeTokenVerifier flagged as
# API key pass-throughs. Plain JWTs were already validated by the JWT
# verifier and resolved in _resolve_user_from_jwt_context.
from superset.mcp_service.composite_token_verifier import (
API_KEY_PASSTHROUGH_CLAIM,
)
claims = getattr(access_token, "claims", None)
if not (isinstance(claims, dict) and claims.get(API_KEY_PASSTHROUGH_CLAIM)):
return None

5
superset/mcp_service/mcp_config.py
View File

@@ -22,6 +22,7 @@ from typing import Any, Dict, Optional
from flask import Flask
from superset.mcp_service.composite_token_verifier import CompositeTokenVerifier
from superset.mcp_service.constants import (
DEFAULT_TOKEN_LIMIT,
DEFAULT_WARN_THRESHOLD_PCT,
@@ -323,10 +324,6 @@ def create_default_mcp_auth_factory(app: Flask) -> Optional[Any]:
return None
if api_key_enabled:
from superset.mcp_service.composite_token_verifier import (
CompositeTokenVerifier,
)
api_key_prefixes = app.config.get("FAB_API_KEY_PREFIXES", ["sst_"])
logger.info("API key auth enabled for MCP")
return CompositeTokenVerifier(