Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: support different JWT CSRF cookie names #25891

Merged
merged 6 commits into from
Nov 14, 2023
Merged

chore: support different JWT CSRF cookie names #25891

merged 6 commits into from
Nov 14, 2023

Conversation

dpgaspar
Copy link
Member

@dpgaspar dpgaspar commented Nov 7, 2023
edited
Loading

SUMMARY

Currently SupersetClient only supports flask-jwt-extended default access CSRF cookie name, yet this name can be set using JWT_ACCESS_CSRF_COOKIE_NAME.
This PR makes SupersetClient support this config

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@dpgaspar dpgaspar changed the title Chore/csrf access token chore: support different JWT CSRF cookie names Nov 7, 2023
jfrag1
jfrag1 approved these changes Nov 13, 2023
View reviewed changes
Copy link
Member

@jfrag1 jfrag1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

kgabryje
kgabryje reviewed Nov 14, 2023
View reviewed changes
superset-frontend/src/setup/setupClient.ts

function getDefaultConfiguration(): ClientConfig {
const csrfNode = document.querySelector<HTMLInputElement>('#csrf_token');
const csrfToken = csrfNode?.value;

// when using flask-jwt-extended csrf is set in cookies
const cookieCSRFToken = parseCookie().csrf_access_token || '';
const jwtAccessCsrfCookieName =
bootstrapData.common.conf.JWT_ACCESS_CSRF_COOKIE_NAME;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we have a fallback here to 'csrf_access_token'?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

by default JWT_ACCESS_CSRF_COOKIE_NAME is csrf_access_token and that default is set by flask-jwt-extended

kgabryje
kgabryje approved these changes Nov 14, 2023
View reviewed changes
Copy link
Member

@kgabryje kgabryje left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dpgaspar dpgaspar requested review from craig-rueda and removed request for craig-rueda and michael-s-molina November 14, 2023 14:00
@dpgaspar dpgaspar merged commit 007d221 into apache:master Nov 14, 2023
29 checks passed
@dpgaspar dpgaspar deleted the chore/csrf-access-token branch November 14, 2023 14:01
josedev-union pushed a commit to Ortege-xyz/studio that referenced this pull request Jan 22, 2024
@dpgaspar @josedev-union
chore: support different JWT CSRF cookie names (apache#25891)
f7ce892
cccs-rc pushed a commit to CybercentreCanada/superset that referenced this pull request Mar 6, 2024
@dpgaspar
chore: support different JWT CSRF cookie names (apache#25891)
c6d5aba
@mistercrunch mistercrunch added the 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels label Mar 8, 2024
sfirke pushed a commit to sfirke/superset that referenced this pull request Mar 22, 2024
@dpgaspar @sfirke
chore: support different JWT CSRF cookie names (apache#25891)
6465a77
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@craig-rueda craig-rueda craig-rueda left review comments

@kgabryje kgabryje kgabryje approved these changes

@jfrag1 jfrag1 jfrag1 approved these changes

Assignees
No one assigned
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels size/XS 🚢 3.1.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@dpgaspar @craig-rueda @kgabryje @jfrag1 @mistercrunch