feat: support guest-token revocation per embedded dashboard

[rusackas]

Draft / hold:testing — adds a DB migration and a per-request check on the guest-token path. Needs validation under embedded load before merge.

SUMMARY

Guest tokens (embedded dashboards) are self-contained JWTs validated only for signature, exp, and aud — there is no revocation. When an admin revokes a guest's access, existing tokens remain valid until expiry (ASVS 7.4.1, CWE-613).

This implements the SIP's Part A3:

• Adds guest_token_revoked_before (epoch seconds) to embedded_dashboards (migration c8d2e3f4a5b6).
• get_guest_user_from_request now rejects any guest token whose iat predates the revocation cutoff of one of its embedded-dashboard resources.
• SecurityManager.revoke_guest_token_access(embedded_uuid) sets the cutoff to now — revoking all currently-issued tokens for that dashboard while leaving later-issued ones valid.

Guest tokens already carry iat, so no token-format change is required. Default behavior is unchanged (NULL cutoff ⇒ no revocation).

WHY DRAFT (hold:testing)

Wiring revoke_guest_token_access into an admin UI / REST action is a follow-up (this PR provides the mechanism). The revocation check adds a DAO lookup per guest request — needs validation under embedded load.

TESTING INSTRUCTIONS

pytest tests/unit_tests/security/test_guest_token_revocation.py

Tests: token issued before the cutoff is rejected; token issued after is still valid; no cutoff ⇒ valid; missing iat ⇒ not revoked.

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags: EMBEDDED_SUPERSET
• Changes UI
• Includes DB Migration (adds embedded_dashboards.guest_token_revoked_before; reversible)
• Introduces new feature or API
• Removes existing feature or API

🤖 Generated with Claude Code

[netlify]

✅ Deploy Preview for superset-docs-preview ready!

Name	Link
🔨 Latest commit	985bfdc
🔍 Latest deploy log	https://app.netlify.com/projects/superset-docs-preview/deploys/6a1e68b63373e60008e517aa
😎 Deploy Preview	https://deploy-preview-40676--superset-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

❌ Patch coverage is 56.66667% with 13 lines in your changes missing coverage. Please review.
✅ Project coverage is 63.80%. Comparing base (a183582) to head (985bfdc).
⚠️ Report is 243 commits behind head on master.

Files with missing lines	Patch %	Lines
superset/security/manager.py	55.17%	8 Missing and 5 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #40676      +/-   ##
==========================================
- Coverage   64.18%   63.80%   -0.39%     
==========================================
  Files        2591     2651      +60     
  Lines      138471   142188    +3717     
  Branches    32120    32575     +455     
==========================================
+ Hits        88883    90725    +1842     
- Misses      48056    49895    +1839     
- Partials     1532     1568      +36     

Flag	Coverage Δ
hive	39.74% <13.33%> (+0.34%)	⬆️
mysql	58.39% <56.66%> (-0.67%)	⬇️
postgres	58.46% <56.66%> (-0.68%)	⬇️
presto	41.35% <13.33%> (+0.26%)	⬆️
python	59.94% <56.66%> (-0.62%)	⬇️
sqlite	58.12% <56.66%> (-0.66%)	⬇️
unit	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.