fix(mcp): correct method name in API key auth (extract_api_key_from_request)

[aminghadersohi]

SUMMARY

Fixes a method name mismatch in superset/mcp_service/auth.py that caused MCP API key authentication to silently fail.

_resolve_user_from_api_key() referenced sm._extract_api_key_from_request (private, underscore prefix), but FAB defines it as sm.extract_api_key_from_request (public, no underscore). The hasattr check always returned False, so the function returned None immediately and MCP fell through to MCP_DEV_USERNAME / g.user instead of authenticating via API key.

Changes:

• superset/mcp_service/auth.py: Rename _extract_api_key_from_request → extract_api_key_from_request in the hasattr guard and the call site (2 lines)
• tests/unit_tests/mcp_service/test_auth_api_key.py: Update all existing mock references to the correct method name, and add a regression test (test_security_manager_has_expected_api_key_methods) that asserts both method names referenced in auth.py actually exist on the real SecurityManager object — so CI catches future name mismatches instead of silently failing at runtime

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

N/A — auth bug fix with no UI changes.

TESTING INSTRUCTIONS

1. Run pytest tests/unit_tests/mcp_service/test_auth_api_key.py — all tests should pass
2. To manually verify: create an API key via /api/v1/security/api_keys/, then call an MCP tool with Authorization: Bearer sst_<key> — should authenticate correctly instead of falling through to dev user

ADDITIONAL INFORMATION

• Has associated issue: SC-99414 (Shortcut)
• Required feature flags:
• Changes UI
• Includes DB Migration
• Introduces new feature or API
• Removes existing feature or API

Relates to #37973 (the PR that added API key auth — this fixes the MCP integration that failed QA 0/6).

🤖 Generated with Claude Code

[bito-code-review]

Code Review Agent Run #4ddf1b

Actionable Suggestions - 0

Review Details

• Files reviewed - 2 · Commit Range: 6e34690..6e34690

  • superset/mcp_service/auth.py
  • tests/unit_tests/mcp_service/test_auth_api_key.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[codecov]

Codecov Report

❌ Patch coverage is 0% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.49%. Comparing base (4bdc8d4) to head (6e34690).

Files with missing lines	Patch %	Lines
superset/mcp_service/auth.py	0.00%	2 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #39437   +/-   ##
=======================================
  Coverage   64.49%   64.49%           
=======================================
  Files        2557     2557           
  Lines      133097   133097           
  Branches    30910    30910           
=======================================
  Hits        85846    85846           
  Misses      45761    45761           
  Partials     1490     1490           

Flag	Coverage Δ
hive	39.87% <0.00%> (ø)
mysql	60.50% <0.00%> (ø)
postgres	60.58% <0.00%> (ø)
presto	41.66% <0.00%> (ø)
python	62.16% <0.00%> (ø)
sqlite	60.21% <0.00%> (ø)
unit	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.