fix(SIP): Session/token lifecycle and extension supply-chain hardening (proposal)#40674
Draft
rusackas wants to merge 1 commit into
Draft
fix(SIP): Session/token lifecycle and extension supply-chain hardening (proposal)#40674rusackas wants to merge 1 commit into
rusackas wants to merge 1 commit into
Conversation
✅ Deploy Preview for superset-docs-preview ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
6 tasks
rusackas
moved this from Needs Review
to Needs Follow-Up Work
in Superset Review Help Wanted
rusackas
changed the title
sha174n
approved these changes
Jun 2, 2026
sha174n
added
the
merge-if-green
This was referenced Jun 3, 2026
rusackas
pushed a commit
that referenced
this pull request
Jun 3, 2026
Implements Part A3 of the session/token-lifecycle SIP (#40674): granular, per-embedded-dashboard guest-token revocation that complements the global revocation mechanism. - `embedded_dashboards.guest_token_revoked_before` (migration) records the revocation instant for one embedded dashboard. - `get_guest_user_from_request` rejects a guest token whose `iat` predates the `guest_token_revoked_before` of any dashboard resource it references (UTC-safe comparison). Tokens issued afterwards, and dashboards never revoked (NULL), are unaffected. - `POST /api/v1/dashboard/<id_or_slug>/embedded/revoke` (gated by the existing `can_set_embedded` permission) stamps the timestamp via `EmbeddedDashboardDAO.revoke_guest_tokens`. Guest tokens already carry `iat`, so no token-format change is needed. Validated end-to-end against a local Docker stack (token valid -> revoke -> rejected -> new token valid; revoke endpoint returns 200) plus integration tests. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
rusackas
pushed a commit
that referenced
this pull request
Jun 3, 2026
Implements Part A3 of the session/token-lifecycle SIP (#40674): granular, per-embedded-dashboard guest-token revocation that complements the global revocation mechanism. - `embedded_dashboards.guest_token_revoked_before` (migration) records the revocation instant for one embedded dashboard. - `get_guest_user_from_request` rejects a guest token whose `iat` predates the `guest_token_revoked_before` of any dashboard resource it references (UTC-safe comparison). Tokens issued afterwards, and dashboards never revoked (NULL), are unaffected. - `POST /api/v1/dashboard/<id_or_slug>/embedded/revoke` (gated by the existing `can_set_embedded` permission) stamps the timestamp via `EmbeddedDashboardDAO.revoke_guest_tokens`. Guest tokens already carry `iat`, so no token-format change is needed. Validated end-to-end against a local Docker stack (token valid -> revoke -> rejected -> new token valid; revoke endpoint returns 200) plus integration tests. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
rusackas
pushed a commit
that referenced
this pull request
Jun 3, 2026
Implements Part A3 of the session/token-lifecycle SIP (#40674): granular, per-embedded-dashboard guest-token revocation that complements the global revocation mechanism. - `embedded_dashboards.guest_token_revoked_before` (migration) records the revocation instant for one embedded dashboard. - `get_guest_user_from_request` rejects a guest token whose `iat` predates the `guest_token_revoked_before` of any dashboard resource it references (UTC-safe comparison). Tokens issued afterwards, and dashboards never revoked (NULL), are unaffected. - `POST /api/v1/dashboard/<id_or_slug>/embedded/revoke` (gated by the existing `can_set_embedded` permission) stamps the timestamp via `EmbeddedDashboardDAO.revoke_guest_tokens`. Guest tokens already carry `iat`, so no token-format change is needed. Validated end-to-end against a local Docker stack (token valid -> revoke -> rejected -> new token valid; revoke endpoint returns 200) plus integration tests. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
rusackas
pushed a commit
that referenced
this pull request
Jun 3, 2026
Implements Part A3 of the session/token-lifecycle SIP (#40674): granular, per-embedded-dashboard guest-token revocation that complements the global revocation mechanism. - `embedded_dashboards.guest_token_revoked_before` (migration) records the revocation instant for one embedded dashboard. - `get_guest_user_from_request` rejects a guest token whose `iat` predates the `guest_token_revoked_before` of any dashboard resource it references (UTC-safe comparison). Tokens issued afterwards, and dashboards never revoked (NULL), are unaffected. - `POST /api/v1/dashboard/<id_or_slug>/embedded/revoke` (gated by the existing `can_set_embedded` permission) stamps the timestamp via `EmbeddedDashboardDAO.revoke_guest_tokens`. Guest tokens already carry `iat`, so no token-format change is needed. Validated end-to-end against a local Docker stack (token valid -> revoke -> rejected -> new token valid; revoke endpoint returns 200) plus integration tests. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
rusackas
pushed a commit
that referenced
this pull request
Jun 3, 2026
Implements Part A3 of the session/token-lifecycle SIP (#40674): granular, per-embedded-dashboard guest-token revocation that complements the global revocation mechanism. - `embedded_dashboards.guest_token_revoked_before` (migration) records the revocation instant for one embedded dashboard. - `get_guest_user_from_request` rejects a guest token whose `iat` predates the `guest_token_revoked_before` of any dashboard resource it references (UTC-safe comparison). Tokens issued afterwards, and dashboards never revoked (NULL), are unaffected. - `POST /api/v1/dashboard/<id_or_slug>/embedded/revoke` (gated by the existing `can_set_embedded` permission) stamps the timestamp via `EmbeddedDashboardDAO.revoke_guest_tokens`. Guest tokens already carry `iat`, so no token-format change is needed. Validated end-to-end against a local Docker stack (token valid -> revoke -> rejected -> new token valid; revoke endpoint returns 200) plus integration tests. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
rusackas
pushed a commit
that referenced
this pull request
Jun 3, 2026
Completes the static supply-chain controls for Part B of the security SIP (#40674), alongside the EXTENSION_DENYLIST in this PR. - EXTENSION_VERSION_POLICY maps an extension id to a minimum allowed version; releases below it are refused (PEP 440 comparison, fail-closed on unparseable versions). - Consolidate the denylist + version checks into get_extension_rejection_reason, removing the duplicated rejection blocks across the two load paths and logging a single, specific reason. - Add UPDATING.md notes for both controls. The pluggable advisory/vuln-DB provider remains a separate follow-up. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
6 tasks
rusackas
pushed a commit
that referenced
this pull request
Jun 3, 2026
Completes the static supply-chain controls for Part B of the security SIP (#40674), alongside the EXTENSION_DENYLIST in this PR. - EXTENSION_VERSION_POLICY maps an extension id to a minimum allowed version; releases below it are refused (PEP 440 comparison, fail-closed on unparseable versions). - Consolidate the denylist + version checks into get_extension_rejection_reason, removing the duplicated rejection blocks across the two load paths and logging a single, specific reason. - Add UPDATING.md notes for both controls. The pluggable advisory/vuln-DB provider remains a separate follow-up. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Proposal collecting the security-review items that are not safely shippable as isolated PRs: session regeneration on login (A1), session termination on account disable/delete via an invalidation epoch (A2), guest-token revocation (A3), and extension supply-chain advisory checks (Part B). Each section gives a proposed design, compatibility notes, and rejected alternatives. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
rusackas
force-pushed
the
sip/auth-session-supply-chain-hardening
branch
from
d67b849 to
6fd6557
Compare
rusackas
pushed a commit
that referenced
this pull request
Jun 4, 2026
Implements Part A2 of the session/token-lifecycle SIP (#40674): a backend-agnostic per-user invalidation epoch. - `UserAttribute.sessions_invalidated_at` (migration) records when a user's sessions were invalidated. - Login stamps `session["_login_at"]`; a `before_request` hook forces logout of any session that predates the user's epoch, then lets the request continue as anonymous so each route responds correctly for its type (401 for the REST API, redirect-to-login for HTML views). - A SQLAlchemy `after_update` listener stamps the epoch when `active` flips to False, so it fires regardless of the disable path (admin UI, REST API, CLI), for both client-side cookie and server-side session backends. Inert for users that were never disabled (NULL epoch) — backwards compatible by default. Comparison treats the naive UTC column correctly. Validated end-to-end against a local Docker stack (login -> disable -> forced 401) plus unit and integration tests. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
rusackas
pushed a commit
that referenced
this pull request
Jun 4, 2026
Completes the static supply-chain controls for Part B of the security SIP (#40674), alongside the EXTENSION_DENYLIST in this PR. - EXTENSION_VERSION_POLICY maps an extension id to a minimum allowed version; releases below it are refused (PEP 440 comparison, fail-closed on unparseable versions). - Consolidate the denylist + version checks into get_extension_rejection_reason, removing the duplicated rejection blocks across the two load paths and logging a single, specific reason. - Add UPDATING.md notes for both controls. The pluggable advisory/vuln-DB provider remains a separate follow-up. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
rusackas
removed
the
merge-if-green
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
SUMMARY
Adds
docs/sip/auth-session-and-extension-supply-chain-hardening.md, a SIP proposal collecting the security-review items that are not safely shippable as isolated, untested PRs (each needs a behavior-sensitive change, a schema migration, or cross-component coordination):revoked_beforetimestamp checked against the tokeniat.EXTENSION_BLOCKLISTalready shipped).Each section states the gap, a proposed design, compatibility considerations, and rejected alternatives, plus a suggested phasing.
TESTING INSTRUCTIONS
N/A — documentation only.
ADDITIONAL INFORMATION
🤖 Generated with Claude Code