security: upgrade authlib, cryptography, and dependent packages

[wtfiwtz]

What type of PR is this?

• Refactor

Description

Upgrade authlib to 1.7.2, which requires a chain of dependent upgrades due to minimum version constraints in the dependency tree.

Core security upgrades:

• authlib: 0.15.5 → 1.7.2 (OAuth/OIDC CVE fixes including CVE-2024-37568)
• cryptography: 43.0.1 → 48.0.0 (required by authlib 1.7, multiple OpenSSL CVEs)
• pyjwt: 2.4.0 → 2.12.0 (required by snowflake, fixes CVE-2022-29217)
• pyopenssl: 24.2.1 → 26.2.0 (required by cryptography 48)
• requests: 2.32.3 → 2.33.0 (required by snowflake 4.5)

Data source dependency upgrades (required by above):

• snowflake-connector-python: 3.12.3 → 4.5.0 (requires cffi >=2.0, cryptography >=45)
• New transitive deps: azure-core, grpcio, h11, httpcore, marshmallow

OAuth API migration for authlib 1.x:

• Pass explicit client_id/client_secret to oauth.register() in google_oauth.py
• authlib 1.x requires explicit OAuth client credentials in register() call

These upgrades form a tightly coupled dependency chain where each package requires specific minimum versions of others, making them impractical to split into separate PRs:

• authlib 1.7 requires cryptography >=45
• cryptography 48 requires pyopenssl >=26
• snowflake 4.5 requires cryptography >=45, pyjwt >=2.10, requests >=2.32.4

How is this tested?

• Unit tests (pytest) - OAuth/auth flows tested
• Manually (container testing required for full validation)

Related Tickets & Documents

Split from orchestrated-io/redash#7719 per @zachliu's review feedback. This PR groups tightly coupled dependencies that cannot be upgraded independently.

Part of the security vulnerability remediation work tracked in #7711.

Note

This PR is marked as draft until manual testing is complete.

Made with Cursor

[cubic-dev-ai]

No issues found across 5 files

_{Re-trigger cubic}