Even with WTF_CSRF_ENABLED = False, I still get CSRF errors

[havedill]

A clear and concise description of what the bug is.

How to reproduce the bug

Brand new installation, using TAG=3.0.0rc1 docker compose -f docker-compose-non-dev.yml up

I have WTF_CSRF_ENABLED = False in superset/config.py

When i try to log in as my user, i get no error page and the console logs the following:

superset_app          | During handling of the above exception, another exception occurred:
superset_app          |
superset_app          | Traceback (most recent call last):
superset_app          |   File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1821, in full_dispatch_request
superset_app          |     rv = self.preprocess_request()
superset_app          |   File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 2313, in preprocess_request
superset_app          |     rv = self.ensure_sync(before_func)()
superset_app          |   File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 229, in csrf_protect
superset_app          |     self.protect()
superset_app          |   File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 264, in protect
superset_app          |     self._error_response(e.args[0])
superset_app          |   File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 307, in _error_response
superset_app          |     raise CSRFError(reason)
superset_app          | flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF session token is missing.
superset_app          | 2023-07-17 15:56:53,862:WARNING:superset.views.base:Refresh CSRF token error
superset_app          | Traceback (most recent call last):
superset_app          |   File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 261, in protect
superset_app          |     validate_csrf(self._get_csrf_token())
superset_app          |   File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 103, in validate_csrf
superset_app          |     raise ValidationError("The CSRF session token is missing.")
superset_app          | wtforms.validators.ValidationError: The CSRF session token is missing.
superset_app          |
superset_app          | During handling of the above exception, another exception occurred:
superset_app          |
superset_app          | Traceback (most recent call last):
superset_app          |   File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1821, in full_dispatch_request
superset_app          |     rv = self.preprocess_request()
superset_app          |   File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 2313, in preprocess_request
superset_app          |     rv = self.ensure_sync(before_func)()
superset_app          |   File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 229, in csrf_protect
superset_app          |     self.protect()
superset_app          |   File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 264, in protect
superset_app          |     self._error_response(e.args[0])
superset_app          |   File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 307, in _error_response
superset_app          |     raise CSRFError(reason)
superset_app          | flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF session token is missing.

Expected results

I would expect to be logged in

Actual results

Console simply logs an exception

Environment

(please complete the following information):

Chrome,
Windows 11 Client
Almalinux 9 - Server/Docker host
Superset 3.0.0RC1

[havedill]

Switching to 2.1.1rc1, and this issue does not occur for me. Only on the 3.0.0rc1 branch I have this issue.

[lf-floriandin]

Got the same issue installing 3.0.0Rc2 with pip on Ubuntu 22.04.

[AidanHarveyNelson]

I found this in the superset repo https://github.com/apache/superset/blob/master/.github/workflows/ecs-task-definition.json

When I followed it by setting TALISMAN_ENABLED = False environment variable I was able to get superset to log me in.

[hrikken]

Same here with latest docker-compose-no-dev. Unable to log in.

[Mirieri]

This issue seems not to have been solved, I have installed it with docker and made configuration changes on the superset_config.py file. ERROR INFO: INFO:flask_wtf.csrf: The CSRF session token is missing.

[michael-s-molina]

Please check #24579. Specifically if configuring TALISMAN resolves the issue.

[snowsky]

I found this in the superset repo https://github.com/apache/superset/blob/master/.github/workflows/ecs-task-definition.json

When I followed it by setting TALISMAN_ENABLED = False environment variable I was able to get superset to log me in.

This works for me. 👍

[rusackas]

Closing this since we seem to have a winning solution. Holler if this needs any revisit.

[dmuldoonadl]

I still see this when celery workers try cache warmup. Setting WTF_CSRF_ENABLED = False in superset_config.py has no effect.

[spars57]

I'm having the same issue on 3.10, after setting WTF_CSRF_ENABLED = False the problem remains

[rusackas]

Ok... reopening... I wish I had a pointer for this one 😓

[spars57]

I was able to fix it but not sure how, I think we can close this issue