From bcba0fa35fca11e7ef8c54adef2d5ffe57a2de1a Mon Sep 17 00:00:00 2001
From: David Aaron Suddjian <aasuddjian@gmail.com>
Date: Wed, 8 Dec 2021 17:03:41 -0800
Subject: [PATCH] get guest token from header instead of cookie

---
 superset/config.py           | 2 +-
 superset/security/manager.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/superset/config.py b/superset/config.py
index 28f5e98747b4..f9b734340dbc 100644
--- a/superset/config.py
+++ b/superset/config.py
@@ -1262,7 +1262,7 @@ def SQL_QUERY_MUTATOR(  # pylint: disable=invalid-name,unused-argument
 GUEST_ROLE_NAME = "Public"
 GUEST_TOKEN_JWT_SECRET = "test-guest-secret-change-me"
 GUEST_TOKEN_JWT_ALGO = "HS256"
-GUEST_TOKEN_COOKIE_NAME = "__guest_token__"
+GUEST_TOKEN_HEADER_NAME = "X-GuestToken"
 GUEST_TOKEN_JWT_EXP_SECONDS = 300  # 5 minutes
 
 # A SQL dataset health check. Note if enabled it is strongly advised that the callable
diff --git a/superset/security/manager.py b/superset/security/manager.py
index ca4d864afc39..96363d2741aa 100644
--- a/superset/security/manager.py
+++ b/superset/security/manager.py
@@ -1283,7 +1283,7 @@ def get_guest_user(self, req: Request) -> Optional[GuestUser]:
 
         :return: A guest user object
         """
-        raw_token = req.cookies.get(current_app.config["GUEST_TOKEN_COOKIE_NAME"])
+        raw_token = req.headers.get(current_app.config["GUEST_TOKEN_HEADER_NAME"])
         if raw_token is None:
             return None