fix: Fix SupersetClient.postForm calls when SUPERSET_APP_ROOT defined

[martyngigg]

SUMMARY

The SupersetClient.postForm API only accepted an endpoint and when called with a url caused a doubling up of the app_root when it was defined. We have changed the postForm signature to accept either a url or endpoint that is passed to getUrl. Call sites and tests have been updated.

This PR required brings in changes from:

• feat: provide full endpoint URL construction for plugin developers #37360 by @innovark37
• fix(auth): OAuth and LDAP login URLs respect APP_ROOT configuration #35296 by @sadpandajoe

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

Set SUPERSET_APP_ROOT=/analytics in docker/.env-local and boot up the docker-compose-light setup.

• Test login works and does not give a 404
• Test exporting a chart works and the url does not contain the app_root twice.

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[bito-code-review]

The security alert flags a potential XSS vulnerability in the postForm method of SupersetClientClass.ts, where payload values are assigned to form input values without escaping HTML meta-characters. If these values are displayed as HTML on the target page after form submission, it could allow script injection. The diff shows changes to how the payload is handled, but the full method isn't visible. Sanitize or escape payload values before setting them to prevent reinterpreting text as HTML.

[netlify]

✅ Deploy Preview for superset-docs-preview ready!

Name	Link
🔨 Latest commit	8970767
🔍 Latest deploy log	https://app.netlify.com/projects/superset-docs-preview/deploys/6995c1cd609d1b0008e9671e
😎 Deploy Preview	https://deploy-preview-38069--superset-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.43%. Comparing base (9131739) to head (abf5c08).
⚠️ Report is 12 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #38069       +/-   ##
===========================================
+ Coverage        0   66.43%   +66.43%     
===========================================
  Files           0      668      +668     
  Lines           0    51376    +51376     
  Branches        0     5791     +5791     
===========================================
+ Hits            0    34132    +34132     
- Misses          0    15855    +15855     
- Partials        0     1389     +1389     

Flag	Coverage Δ
hive	41.44% <50.00%> (?)
mysql	64.54% <100.00%> (?)
postgres	64.61% <100.00%> (?)
presto	41.46% <50.00%> (?)
python	66.40% <100.00%> (?)
sqlite	64.21% <100.00%> (?)
unit	100.00% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[bito-code-review]

Code Review Agent Run #539b61

Actionable Suggestions - 1

• superset-frontend/packages/superset-ui-core/test/connection/SupersetClientClass.test.ts - 1

  • Incorrect postForm parameter · Line 699-699

Review Details

• Files reviewed - 16 · Commit Range: 8970767..8970767

  • superset-frontend/packages/superset-ui-core/src/connection/SupersetClient.ts
  • superset-frontend/packages/superset-ui-core/src/connection/SupersetClientClass.ts
  • superset-frontend/packages/superset-ui-core/src/connection/types.ts
  • superset-frontend/packages/superset-ui-core/test/connection/SupersetClient.test.ts
  • superset-frontend/packages/superset-ui-core/test/connection/SupersetClientClass.test.ts
  • superset-frontend/src/SqlLab/components/ExploreCtasResultsButton/ExploreCtasResultsButton.test.tsx
  • superset-frontend/src/components/Chart/chartAction.ts
  • superset-frontend/src/explore/components/controls/DatasourceControl/index.tsx
  • superset-frontend/src/explore/components/controls/ViewQueryModalFooter.tsx
  • superset-frontend/src/explore/exploreUtils/index.ts
  • superset-frontend/src/pages/Login/Login.test.tsx
  • superset-frontend/src/pages/Login/index.tsx
  • superset-frontend/src/pages/Register/Register.test.tsx
  • superset-frontend/src/pages/Register/index.tsx
  • superset/views/utils.py
  • tests/integration_tests/test_subdirectory_deployments.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • Eslint (Linter) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[bito-code-review]

Code Review Agent Run #b02e7d

Actionable Suggestions - 0

Review Details

• Files reviewed - 16 · Commit Range: 8970767..c58fa53

  • superset-frontend/packages/superset-ui-core/src/connection/SupersetClient.ts
  • superset-frontend/packages/superset-ui-core/src/connection/SupersetClientClass.ts
  • superset-frontend/packages/superset-ui-core/src/connection/types.ts
  • superset-frontend/packages/superset-ui-core/test/connection/SupersetClient.test.ts
  • superset-frontend/packages/superset-ui-core/test/connection/SupersetClientClass.test.ts
  • superset-frontend/src/SqlLab/components/ExploreCtasResultsButton/ExploreCtasResultsButton.test.tsx
  • superset-frontend/src/components/Chart/chartAction.ts
  • superset-frontend/src/explore/components/controls/DatasourceControl/index.tsx
  • superset-frontend/src/explore/components/controls/ViewQueryModalFooter.tsx
  • superset-frontend/src/explore/exploreUtils/index.ts
  • superset-frontend/src/pages/Login/Login.test.tsx
  • superset-frontend/src/pages/Login/index.tsx
  • superset-frontend/src/pages/Register/Register.test.tsx
  • superset-frontend/src/pages/Register/index.tsx
  • superset/views/utils.py
  • tests/integration_tests/test_subdirectory_deployments.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • Eslint (Linter) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[bito-code-review]

Code Review Agent Run #24b841

Actionable Suggestions - 0

Review Details

• Files reviewed - 17 · Commit Range: c58fa53..cc8f486

  • superset-frontend/packages/superset-ui-core/src/connection/SupersetClient.ts
  • superset-frontend/packages/superset-ui-core/src/connection/SupersetClientClass.ts
  • superset-frontend/packages/superset-ui-core/src/connection/types.ts
  • superset-frontend/packages/superset-ui-core/test/connection/SupersetClient.test.ts
  • superset-frontend/packages/superset-ui-core/test/connection/SupersetClientClass.test.ts
  • superset-frontend/src/SqlLab/components/ExploreCtasResultsButton/ExploreCtasResultsButton.test.tsx
  • superset-frontend/src/components/Chart/chartAction.ts
  • superset-frontend/src/explore/components/controls/DatasourceControl/index.tsx
  • superset-frontend/src/explore/components/controls/ViewQueryModalFooter.tsx
  • superset-frontend/src/explore/exploreUtils/exportChart.test.ts
  • superset-frontend/src/explore/exploreUtils/index.ts
  • superset-frontend/src/pages/Login/Login.test.tsx
  • superset-frontend/src/pages/Login/index.tsx
  • superset-frontend/src/pages/Register/Register.test.tsx
  • superset-frontend/src/pages/Register/index.tsx
  • superset/views/utils.py
  • tests/integration_tests/test_subdirectory_deployments.py
• Files skipped - 0
• Tools

  • Eslint (Linter) - ✔︎ Successful
  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[EnxDev]

Superset uses Git pre-commit hooks courtesy of pre-commit. To install run the following:

pre-commit install

This will install the hooks in your local repository. From now on, a series of checks will automatically run whenever you make a Git commit. To run pre-commit manually run the following:

pre-commit run --all-files

[martyngigg]

@EnxDev Thanks. I had pre-commit enabled but it seems to pass when the CI checks fail it, which I find confusing.

The failures that currently show up don't show up for me either. I'm not sure why.

[bito-code-review]

Code Review Agent Run #493a19

Actionable Suggestions - 0

Review Details

• Files reviewed - 17 · Commit Range: cc8f486..abf5c08

  • superset-frontend/packages/superset-ui-core/src/connection/SupersetClient.ts
  • superset-frontend/packages/superset-ui-core/src/connection/SupersetClientClass.ts
  • superset-frontend/packages/superset-ui-core/src/connection/types.ts
  • superset-frontend/packages/superset-ui-core/test/connection/SupersetClient.test.ts
  • superset-frontend/packages/superset-ui-core/test/connection/SupersetClientClass.test.ts
  • superset-frontend/src/SqlLab/components/ExploreCtasResultsButton/ExploreCtasResultsButton.test.tsx
  • superset-frontend/src/components/Chart/chartAction.ts
  • superset-frontend/src/explore/components/controls/DatasourceControl/index.tsx
  • superset-frontend/src/explore/components/controls/ViewQueryModalFooter.tsx
  • superset-frontend/src/explore/exploreUtils/exportChart.test.ts
  • superset-frontend/src/explore/exploreUtils/index.ts
  • superset-frontend/src/pages/Login/Login.test.tsx
  • superset-frontend/src/pages/Login/index.tsx
  • superset-frontend/src/pages/Register/Register.test.tsx
  • superset-frontend/src/pages/Register/index.tsx
  • superset/views/utils.py
  • tests/integration_tests/test_subdirectory_deployments.py
• Files skipped - 0
• Tools

  • Eslint (Linter) - ✔︎ Successful
  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[martyngigg]

I think the pre-commit job on master is broken as merging in master here as caused the oxlint failures to show up.

[sadpandajoe]

@martyngigg I haven't been working on that branch in awhile, feel free to drop or merge what you need into your branch to move things forward.

[Copilot]

Pull request overview

This PR addresses incorrect URL construction when Superset is deployed under a non-root SUPERSET_APP_ROOT by updating how form POSTs and login redirects determine their effective URL, preventing “double app_root” prefixes and improving subdirectory deployment behavior.

Changes:

• Update SupersetClient.postForm to accept either an endpoint or a full url (resolved via getUrl) and migrate call sites/tests.
• Fix redirect_to_login so the next parameter includes request.script_root for subdirectory deployments.
• Update Login/Register/Explore flows and corresponding tests to respect app root in links and form submissions.

Reviewed changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
tests/integration_tests/test_subdirectory_deployments.py	Adds coverage to ensure redirect_to_login() includes app root and preserves query strings.
superset/views/utils.py	Prefixes next targets with request.script_root to support subdirectory deployments.
superset-frontend/src/pages/Register/index.tsx	Uses ensureAppRoot for login link and updates postForm call to new config signature.
superset-frontend/src/pages/Register/Register.test.tsx	Adds assertions for login link href with/without app root.
superset-frontend/src/pages/Login/index.tsx	Ensures provider/register links respect app root and updates postForm usage.
superset-frontend/src/pages/Login/Login.test.tsx	Adds coverage for app-rooted register/oauth URLs and updated postForm signature.
superset-frontend/src/explore/exploreUtils/index.ts	Uses SupersetClient.getUrl for v1 export URL and updates postForm usage.
superset-frontend/src/explore/exploreUtils/exportChart.test.ts	Updates mocks to use SupersetClient.getUrl instead of legacy app-root logic.
superset-frontend/src/explore/components/controls/ViewQueryModalFooter.tsx	Migrates postForm call to config object signature.
superset-frontend/src/explore/components/controls/DatasourceControl/index.tsx	Migrates postForm call to config object signature.
superset-frontend/src/components/Chart/chartAction.ts	Migrates SQL Lab redirect postForm call to config object signature.
superset-frontend/src/SqlLab/components/ExploreCtasResultsButton/ExploreCtasResultsButton.test.tsx	Updates expectation for new postForm({ url, payload }) call shape.
superset-frontend/packages/superset-ui-core/test/connection/SupersetClientClass.test.ts	Updates postForm tests to use new config signature.
superset-frontend/packages/superset-ui-core/test/connection/SupersetClient.test.ts	Adds getUrl exposure test and updates configure-flow expectations.
superset-frontend/packages/superset-ui-core/src/connection/types.ts	Introduces PostFormConfig types to support endpoint or url inputs.
superset-frontend/packages/superset-ui-core/src/connection/SupersetClientClass.ts	Refactors postForm to accept config object and resolve URLs via getUrl.
superset-frontend/packages/superset-ui-core/src/connection/SupersetClient.ts	Exposes getUrl on the exported SupersetClient singleton.

Comments suppressed due to low confidence (1)

superset-frontend/packages/superset-ui-core/test/connection/SupersetClient.test.ts:55

• The test for “throws before configure” doesn’t include the newly exposed SupersetClient.getUrl method. To keep this test aligned with the public API surface (and to prevent regressions), add an assertion that SupersetClient.getUrl throws when called before configure().

  test('throws if you call init, get, post, postForm, isAuthenticated, and reAuthenticate before configure', () => {
    expect(SupersetClient.init).toThrow();
    expect(SupersetClient.get).toThrow();
    expect(SupersetClient.post).toThrow();
    expect(SupersetClient.postForm).toThrow();
    expect(SupersetClient.isAuthenticated).toThrow();
    expect(SupersetClient.reAuthenticate).toThrow();
    expect(SupersetClient.request).toThrow();

[Copilot]

SupersetClientClass.postForm now only accepts a config object, which is a breaking change for any external consumers still calling postForm(endpoint, payload, target). At runtime, passing a string will also silently no-op because postFormConfig.endpoint/url will be undefined on a string. Consider supporting the legacy positional signature (with a deprecation path) or throwing a clear error when the argument is not an object containing endpoint or url.

[Copilot]

url is typed as string | null, but it’s passed directly to SupersetClient.postForm({ url, ... }). Even though runtime control flow ensures url should be non-null here, TypeScript won’t necessarily narrow it across branches and this can break builds (and also allows onStartStreamingExport to receive a nullable URL type). Consider adding a single non-null guard after the legacy/v1 branch (or refactoring so url is a plain string by this point).