superset icon indicating copy to clipboard operation
superset copied to clipboard
verified publisher icon apache

fix(api): Fix JWT authentication for /api/v1/me endpoints

Open rusackas opened this issue 3 weeks ago โ€ข 4 comments

User description

Summary

This PR fixes a longstanding issue where JWT authentication didn't work with the /api/v1/me endpoints, causing 401 errors even with valid JWT tokens.

The root cause was that the endpoints relied on Flask's g.user being set, but there was no mechanism to populate it from JWT tokens in API requests. The @protect() decorator from Flask-AppBuilder properly handles both session-based and JWT-based authentication.

Changes

  • Add @protect() decorator to handle both session and JWT authentication
  • Add @permission_name() decorators for proper permission management
  • Remove redundant authentication checks now handled by @protect()
  • Add allow_browser_login = True for consistency with other APIs

Testing Instructions

  1. Obtain a JWT token via /api/v1/security/login
  2. Use the JWT token in the Authorization header: Bearer <token>
  3. Call /api/v1/me - should now return user info (previously returned 401)
  4. Call /api/v1/me/roles/ - should now return user roles (previously returned 401)
  5. Session-based authentication should continue to work as before

Fixes

Fixes: #19525

Additional Information

  • No breaking changes - this is a bug fix that makes JWT auth work as intended
  • Permissions are handled automatically by Flask-AppBuilder
  • Follows the same pattern as other Superset APIs

๐Ÿค– Generated with Claude Code

CodeAnt-AI Description

Restore JWT access to current-user APIs (/api/v1/me)

What Changed

  • GET /api/v1/me, GET /api/v1/me/roles, and PUT /api/v1/me accept JWT Bearer tokens as well as session authentication and will return user info/roles or update the profile instead of returning 401 for valid JWTs
  • The endpoints now require standard permissions (read for GETs, write for PUT) so access follows existing permission rules
  • Browser-based API login is enabled for these endpoints so authenticated browser requests behave consistently with other APIs

Impact

โœ… Fewer 401s for JWT-authenticated requests โœ… Current-user endpoints accept both JWT and session authentication โœ… Profile updates via API enforce write permission

๐Ÿ’ก Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

rusackas avatar Dec 03 '25 17:12 rusackas

CodeAnt AI is reviewing your PR.

codeant-ai-for-open-source[bot] avatar Dec 03 '25 17:12 codeant-ai-for-open-source[bot]

Code Review Agent Run #40fa9f

Actionable Suggestions - 0
Review Details
  • Files reviewed - 1 ยท Commit Range: e72324c..e72324c
    • superset/views/users/api.py
  • Files skipped - 0
  • Tools
    • Whispers (Secret Scanner) - โœ”๏ธŽ Successful
    • Detect-secrets (Secret Scanner) - โœ”๏ธŽ Successful
    • MyPy (Static Code Analysis) - โœ”๏ธŽ Successful
    • Astral Ruff (Static Code Analysis) - โœ”๏ธŽ Successful
Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Default Agent You can customize the agent settings here or contact your Bito workspace admin at [email protected].

Documentation & Help

AI Code Review powered by Bito Logo

bito-code-review[bot] avatar Dec 03 '25 17:12 bito-code-review[bot]

Nitpicks ๐Ÿ”

๐Ÿ”’ย No security issues identified
โšกย Recommended areas for review

  • [ ] allow_browser_login impact
    allow_browser_login = True was added to this API class. Confirm this change aligns with the intended behavior (it allows browser session login for API endpoints) and doesn't widen the authentication surface inadvertently.

codeant-ai-for-open-source[bot] avatar Dec 03 '25 17:12 codeant-ai-for-open-source[bot]

CodeAnt AI finished reviewing your PR.

codeant-ai-for-open-source[bot] avatar Dec 03 '25 17:12 codeant-ai-for-open-source[bot]