Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[api] enable CSRF by default #9205

Merged
merged 3 commits into from Mar 3, 2020
Merged

[api] enable CSRF by default #9205

merged 3 commits into from Mar 3, 2020

Conversation

dpgaspar
Copy link
Member

CATEGORY

Choose one

  • Bug Fix
  • Enhancement (new features, refinement)
  • Refactor
  • Add tests
  • Build / Development Environment
  • Documentation

SUMMARY

Enables CSRF on the new REST API by default. Uses Flask-WTF CSRF protection.
Thank you @nytai for helping out on the frontend side.

ADDITIONAL INFORMATION

  • Has associated issue:
  • Changes UI
  • Requires DB Migration.
  • Confirm DB Migration upgrade and downgrade tested.
  • Introduces new feature or API
  • Removes existing feature or API

REVIEWERS

@dpgaspar dpgaspar changed the title Fix/csrf api [api] enable CSRF by default Feb 26, 2020
etr2460
etr2460 reviewed Feb 26, 2020
View reviewed changes
Copy link
Member

@etr2460 etr2460 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does this interact with the current csrf token? Are we sending two down to the client? How do we know which one to use?

@nytai
Copy link
Member

nytai commented Feb 26, 2020
edited

@etr2460 Given that FAB/superset supports multiple auth methods there are multiple library's for handling csrf protection on the backend. The one that's on by default is provided by Flask-WTF, this is the one currently used when username/pw auth is configured. When using flask-wtf the csrf if provided via a jinja function (meant to be inserted in the DOM). When using flask-jwt-extended the csrf if provided in a cookie and it should match what's in the jwt payload.

This PR adds functionality to default to using the CSRF token provided by flask-wtf, however if that is disabled (via a config flag) and doesn't exist in the DOM, then we check the presence of the token in the cookie. This allows for both methods of checking CSRF. If both methods are enabled (they shouldn't be) then it'll default to flask-wtf token.

@dpgaspar dpgaspar marked this pull request as ready for review February 28, 2020 10:18
@dpgaspar dpgaspar merged commit 26e916e into apache:master Mar 3, 2020
@mistercrunch mistercrunch added 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 0.36.0 labels Feb 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@willbarrett willbarrett willbarrett approved these changes

@nytai nytai nytai approved these changes

@villebro villebro villebro approved these changes

@craig-rueda craig-rueda Awaiting requested review from craig-rueda

@etr2460 etr2460 Awaiting requested review from etr2460

Assignees
No one assigned
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels size/M v0.36 🚢 0.36.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@dpgaspar @nytai @willbarrett @etr2460 @villebro @mistercrunch