Skip to content

Use API authentication instead of token scraping#379

Open
joaopamaral wants to merge 22 commits into
preset-io:mainfrom
Automattic:make-auth-through-api
Open

Use API authentication instead of token scraping#379
joaopamaral wants to merge 22 commits into
preset-io:mainfrom
Automattic:make-auth-through-api

Conversation

@joaopamaral

@joaopamaral joaopamaral commented Feb 26, 2026

Copy link
Copy Markdown

Replace the HTML-scraping-based authentication with Superset's official security API endpoints.

Previously, UsernamePasswordAuth authenticated by:

  1. Fetching /login/ and scraping the CSRF token from the HTML using BeautifulSoup
  2. POSTing credentials to /login/ as form data

This was fragile and dependent on Superset's frontend HTML structure. The new approach uses the documented REST API:

  1. POST /api/v1/security/login → obtains a JWT access token
  2. GET /api/v1/security/csrf_token/ → obtains a CSRF token using the Bearer token

It was initially proposed in #319 (but I forgot to address the comments, sorry @Vitor-Avila)

@joaopamaral joaopamaral marked this pull request as ready for review February 26, 2026 14:13

@Vitor-Avila Vitor-Avila left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

left a few comments

Comment thread src/preset_cli/auth/superset.py Outdated
Comment thread src/preset_cli/auth/superset.py
Comment thread src/preset_cli/cli/superset/main.py
@Vitor-Avila

Copy link
Copy Markdown
Contributor

also unsure why the CI haven't completed, but hopefully that's fixed with a new commit

@joaopamaral

Copy link
Copy Markdown
Author

@Vitor-Avila, can you test with db one? I've only validated with ldap. Thanks

@Vitor-Avila Vitor-Avila left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left some comments.

Tests are still failing as well, let me know if you can see the errors, or if you want me to share here.

Thanks!

Comment thread src/preset_cli/auth/superset.py Outdated
Comment thread src/preset_cli/auth/superset.py
joaopamaral and others added 2 commits May 4, 2026 16:46
Try the security API first; on failure, log a warning and use the
previous BeautifulSoup-based /login/ flow so older Superset instances
keep working.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@joaopamaral

Copy link
Copy Markdown
Author

hey @Vitor-Avila, addressed the comments, added the fallback to html approach

Rename mocker.patch return value from UsernamePasswordAuth to
username_password_auth to satisfy snake_case style.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@Vitor-Avila

Copy link
Copy Markdown
Contributor

hey @joaopamaral tests are failing, can you please review? Thanks!

joaopamaral and others added 2 commits May 5, 2026 13:50
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Resolve conflict in tests/cli/superset/main_test.py by adopting
upstream's substring-based assertions for `superset export --help`.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@joaopamaral

Copy link
Copy Markdown
Author

Sorry @Vitor-Avila, applied black formatting

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants