bito-code-review[bot] commented on code in PR #38177: URL: https://github.com/apache/superset/pull/38177#discussion_r2839164590
########## superset/config.py: ########## @@ -2445,6 +2445,12 @@ class ExtraDynamicQueryFilters(TypedDict, total=False): # connection via the UI (without downtime). CATALOGS_SIMPLIFIED_MIGRATION: bool = False +# Configure JWT subsystem to not enforce that the sub claim is a string +# Set this variable to avoid breaking `/api/security` endpoints +# TODO: remove this variable once pyjwt resolved the issue. +# https://github.com/jpadilla/pyjwt/issues/1017 +# https://github.com/dpgaspar/Flask-AppBuilder/issues/2287 +JWT_VERIFY_SUB: bool = False Review Comment: <div> <div id="suggestion"> <div id="issue"><b>JWT sub claim verification disabled</b></div> <div id="fix"> The JWT_VERIFY_SUB = False config disables enforcement that JWT sub claims must be strings per the JWT specification. This could allow invalid tokens and poses a security risk. Consider ensuring sub claims are cast to strings when creating tokens instead of disabling verification. </div> </div> <small><i>Code Review Run #1c6354</i></small> </div> --- Should Bito avoid suggestions like this for future reviews? (<a href=https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules</a>) - [ ] Yes, avoid them -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
