dosubot[bot] commented on issue #34696:
URL: https://github.com/apache/superset/issues/34696#issuecomment-3197752113
<!-- Answer -->
This is a confirmed bug: when a Guest user triggers an async query, the JWT
'sub' claim is set to None, which causes authentication to fail with a 401
error. The root cause is that Guest users don't have a user ID, so the code
sets 'sub' to None instead of a unique string identifier.
A practical workaround is to extend the AsyncQueryManager and override the
JWT generation logic so that if user_id is None, you set 'sub' to a default
string like 'guest' or the guest username. For example:
```python
class CustomAsyncQueryManager(AsyncQueryManager):
def register_request_handlers(self, app: Flask) -> None:
@app.after_request
def validate_session(response: Response) -> Response:
# ... existing code ...
sub = str(user_id) if user_id else "guest"
# ... rest of the method ...
```
This ensures the JWT always has a valid string in 'sub', which resolves the
401 for guest/embedded users with async queries. This approach is already
suggested and discussed in a recent GitHub issue ([details and code sample
here](https://github.com/apache/superset/issues/34611)).
As for security, using a static string like 'guest' or a guest username as
'sub' is generally safe for guest/embedded scenarios, as long as your
permissions and resource scoping are enforced elsewhere. Just avoid using
sensitive or guessable information in the 'sub' claim.
No recent PRs have addressed this in mainline Superset, so a local patch or
subclass is currently the best option.
<!-- Dosu Comment Footer -->
*To reply, just mention [@dosu](https://go.dosu.dev/dosubot).*
---
<sup>How did I do?
[Good](https://app.dosu.dev/response-feedback/32c0b5b8-bb7f-4650-b20f-a292072972bb?feedback_type=great_response)
|
[Irrelevant](https://app.dosu.dev/response-feedback/32c0b5b8-bb7f-4650-b20f-a292072972bb?feedback_type=irrelevant_answer)
|
[Incorrect](https://app.dosu.dev/response-feedback/32c0b5b8-bb7f-4650-b20f-a292072972bb?feedback_type=incorrect_sources)
|
[Verbose](https://app.dosu.dev/response-feedback/32c0b5b8-bb7f-4650-b20f-a292072972bb?feedback_type=too_verbose)
|
[Hallucination](https://app.dosu.dev/response-feedback/32c0b5b8-bb7f-4650-b20f-a292072972bb?feedback_type=hallucination)
| [Report
🐛](https://app.dosu.dev/response-feedback/32c0b5b8-bb7f-4650-b20f-a292072972bb?feedback_type=bug_report)
|
[Other](https://app.dosu.dev/response-feedback/32c0b5b8-bb7f-4650-b20f-a292072972bb?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=githu
b) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/34696)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
