feat(auth): log out users deactivated mid-session

[rusackas]

Draft / hold:testing — runs on the authenticated request path. Needs end-to-end validation before merge (see "Why draft").

SUMMARY

Flask-Login only consults is_active when establishing a login; for an already-authenticated user it does not re-check it on subsequent requests. So a user an admin deactivates keeps their session until it expires (FINDING-018 / ASVS 7.4.2, CWE-613).

This adds a before_request hook that re-checks current_user.is_active and logs the user out as soon as their account is deactivated. The request then continues as anonymous, and the normal access controls deny protected views. Deleted users are already handled (the user loader returns None). No migration — auth/login/logout/static/health endpoints are exempt to avoid loops.

This implements the immediate disable/delete case from the SIP (#40674, Part A2). The broader "invalidation epoch" (revoke sessions without deactivating the account) remains a future enhancement described in that SIP.

WHY DRAFT (hold:testing)

Adds a check on every authenticated request. Needs validation that: a disabled logged-in user is denied on their next request; normal active users and the login/logout/OAuth flows are unaffected; and the exemption list matches real endpoint names (no loop).

TESTING INSTRUCTIONS

pytest tests/unit_tests/security/test_session_validation.py

Unit test covers the endpoint-exemption logic. Before merge: disable a logged-in user and confirm their next request is denied; confirm active users and login/logout are unaffected.

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration
• Introduces new feature or API
• Removes existing feature or API

🤖 Generated with Claude Code

[netlify]

✅ Deploy Preview for superset-docs-preview ready!

Name	Link
🔨 Latest commit	9ed8c1d
🔍 Latest deploy log	https://app.netlify.com/projects/superset-docs-preview/deploys/6a1e678fd47cf0000843c295
😎 Deploy Preview	https://deploy-preview-40675--superset-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

❌ Patch coverage is 79.16667% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 63.81%. Comparing base (a183582) to head (9ed8c1d).
⚠️ Report is 243 commits behind head on master.

Files with missing lines	Patch %	Lines
superset/security/session_validation.py	86.36%	2 Missing and 1 partial ⚠️
superset/initialization/__init__.py	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #40675      +/-   ##
==========================================
- Coverage   64.18%   63.81%   -0.38%     
==========================================
  Files        2591     2652      +61     
  Lines      138471   142187    +3716     
  Branches    32120    32573     +453     
==========================================
+ Hits        88883    90737    +1854     
- Misses      48056    49884    +1828     
- Partials     1532     1566      +34     

Flag	Coverage Δ
hive	39.77% <70.83%> (+0.36%)	⬆️
mysql	58.40% <79.16%> (-0.65%)	⬇️
postgres	58.48% <79.16%> (-0.66%)	⬇️
presto	41.37% <70.83%> (+0.28%)	⬆️
python	59.96% <79.16%> (-0.60%)	⬇️
sqlite	58.14% <79.16%> (-0.64%)	⬇️
unit	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.