fix(mcp_service): reduce deprecated authlib.jose.errors imports

[eschutho]

Summary

Deprecation warning

authlib.jose has been deprecated since authlib 1.3+ in favour of joserfc. The library itself forces AuthlibDeprecationWarning visible at all warning levels by calling warnings.simplefilter("always", AuthlibDeprecationWarning) before emitting it. Our MCP service previously imported four specific error subclasses directly from the deprecated path.

What changed

superset/mcp_service/jwt_verifier.py

• Reduced from four authlib.jose.errors imports (BadSignatureError, DecodeError, ExpiredTokenError, JoseError) to a single JoseError import.
• Tightened the header-parse except clause from except (ValueError, DecodeError) to except ValueError — _decode_token_header() only raises ValueError (via base64.urlsafe_b64decode → binascii.Error → subclass, and json.JSONDecodeError → subclass).
• Merged the three separate decode-path except clauses into a single except JoseError as e: block that discriminates by the e.error attribute value ("bad_signature" → "Signature verification failed", "expired_token" → "Token has expired (detected during decode)", else → "Token decode failed"). Attribute strings verified against authlib source.

superset/mcp_service/mcp_config.py

• Removed the from authlib.jose.errors import JoseError import entirely.
• Widened the verifier-construction fallback from except (ValueError, JoseError) to except Exception. The handler already deliberately suppresses exception details (they may contain key material); this also covers realistic throws the old handler missed (pydantic.ValidationError, cryptography.*Error from malformed keys).

The warnings.filterwarnings call in __init__.py is still needed (fastmcp imports authlib.jose internally) and is unchanged.

No behavior change

• All existing test assertions for BadSignatureError, DecodeError, and ExpiredTokenError remain correct — the new handler routes each to the same failure reason string via e.error attribute matching.
• The header-parse block change is safe: _decode_token_header() cannot raise a JoseError.

Test plan

• pytest tests/unit_tests/mcp_service/test_jwt_verifier.py -x — all jwt_verifier tests pass
• pytest tests/unit_tests/mcp_service/test_mcp_config.py -x — mcp_config tests pass
• Confirm no AuthlibDeprecationWarning leaks appear when running MCP service tests (-W error::DeprecationWarning or checking test output)

🤖 Generated with Claude Code

[bito-code-review]

Code Review Agent Run #a07c40

Actionable Suggestions - 0

Review Details

• Files reviewed - 2 · Commit Range: 6e7d4fa..6e7d4fa

  • superset/mcp_service/jwt_verifier.py
  • superset/mcp_service/mcp_config.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[netlify]

✅ Deploy Preview for superset-docs-preview ready!

Name	Link
🔨 Latest commit	6e7d4fa
🔍 Latest deploy log	https://app.netlify.com/projects/superset-docs-preview/deploys/6a356c2518f8ce000896a43a
😎 Deploy Preview	https://deploy-preview-41248--superset-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

❌ Patch coverage is 10.00000% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.34%. Comparing base (4053f53) to head (6e7d4fa).
⚠️ Report is 25 commits behind head on master.

Files with missing lines	Patch %	Lines
superset/mcp_service/jwt_verifier.py	11.11%	8 Missing ⚠️
superset/mcp_service/mcp_config.py	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #41248      +/-   ##
==========================================
- Coverage   64.35%   64.34%   -0.01%     
==========================================
  Files        2651     2651              
  Lines      144804   144832      +28     
  Branches    33413    33421       +8     
==========================================
+ Hits        93187    93195       +8     
- Misses      49947    49965      +18     
- Partials     1670     1672       +2     

Flag	Coverage Δ
hive	39.31% <10.00%> (-0.01%)	⬇️
mysql	58.04% <10.00%> (-0.02%)	⬇️
postgres	58.10% <10.00%> (-0.02%)	⬇️
presto	40.90% <10.00%> (-0.01%)	⬇️
python	59.55% <10.00%> (-0.02%)	⬇️
sqlite	57.76% <10.00%> (-0.02%)	⬇️
unit	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.