Fix not sending necessary HTTP headers when downloading results #41633
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
WiNloSt
added
the
backport
WiNloSt
commented
Apr 19, 2024
| const CSRF_TOKEN = "abcdefgh"; | ||
| cy.intercept("GET", "/api/user/current", req => { | ||
| req.on("response", res => { | ||
| res.headers["X-Metabase-Anti-CSRF-Token"] = CSRF_TOKEN; |
There was a problem hiding this comment.
I just mock the header as it's virtually impossible to set up Google SSO at the moment.
|
|
||
| cy.wait("@CsvDownload").then(interception => { | ||
| expect( | ||
| interception.request.headers["x-metabase-anti-csrf-token"], |
There was a problem hiding this comment.
Then I only assert that we pass the correct header. As downloaded files are tested in other tests.
| body = options.transformResponse({ | ||
| body, | ||
| data, | ||
| response: unreadResponse, |
There was a problem hiding this comment.
Since I need to pass a new key, I think it's a good time to refactor transformResponse API, although nobody uses this API outside this PR.
| @@ -42,6 +43,12 @@ export const downloadQueryResults = | |||
| } | |||
| }; | |||
|
|
|||
| const downloadChart = async ({ question }: DownloadQueryResultsOpts) => { | |||
There was a problem hiding this comment.
Swap function locations because downloadChart is used first.
| @@ -168,9 +173,20 @@ const getDatasetResponse = ({ | |||
| formattedBody.append(key, JSON.stringify(body[key])); | |||
| } | |||
| } | |||
| return fetch(requestUrl, { method, body: formattedBody }); | |||
| return POST(requestUrl, { | |||
There was a problem hiding this comment.
Use POST and GET from frontend/src/metabase/lib/api.js as it takes care of the passing CSRF token.
I was considering a more static approach where I define the path upfront. But the path is not always static since we also call
WiNloSt
commented
Apr 19, 2024
| const requestUrl = new URL(url, location.origin); | ||
| return requestUrl.href; | ||
|
|
||
| return url; |
There was a problem hiding this comment.
We need to ensure we now only return the relative path without the subpath. Previously we needed the whole path because we passed it directly to fetch but this PR passed it to GET and POST which already take care of the subpath via api.basename.
i.e. if we deploy metabase on /metabase and the download URl is /metabase/embed/question/123.csv. This function needs to return just /embed/question/123.csv as you'll see in the unit test below
WiNloSt
commented
Apr 19, 2024
| ); | ||
| }), | ||
| ).toBe(true); | ||
| const [url, options] = mockDownloadEndpoint.lastCall() as MockCall; |
There was a problem hiding this comment.
Since we changed to use GET and POST. options.body turns out to be a Promise instead. I'm not totally sure why.
|
@uladzimirdev I requested your review since you last touch this file with this bug fix #34659 |
WiNloSt
deleted the
39848-cannot-download-csv-in-google-sso-interactive-embedding
branch
github-actions bot
pushed a commit
that referenced
this pull request
Apr 22, 2024
* Fix not sending necessary HTTP headers when downloading results * Fix fail E2E tests * Add E2E test * Fix failed tests * Fix unit tests * Fix download on subpath * Fix unit tests for subpath
metabase-bot bot
added a commit
that referenced
this pull request
Apr 23, 2024
… results" (#41682) * Fix not sending necessary HTTP headers when downloading results (#41633) * Fix not sending necessary HTTP headers when downloading results * Fix fail E2E tests * Add E2E test * Fix failed tests * Fix unit tests * Fix download on subpath * Fix unit tests for subpath * Fix `api.js`'s `transformResponse` API --------- Co-authored-by: Mahatthana (Kelvin) Nomsawadi <me@bboykelvin.dev> Co-authored-by: Mahatthana Nomsawadi <mahatthana.n@gmail.com>
metamben
added a commit
that referenced
this pull request
Apr 23, 2024
* Add a way to update filter type and operator from parameter sidebar (#41555) * Convert EmbeddingContext to Sdk Store slice (#41585) * Add prefix to CSS custom properties (#41574) * Migrate --border-* * Migrate *breadcrumb* * Migrate --color-bg-black * Migrate --color-bg-dark * Migrate --color-bg-light * Migrate --color-bg-medium * Migrate --color-bg-white * Migrate --color-border * Migrate --color-brand* * Migrate --color-error * Migrate --color-focus * Migrate --color-shadow * Migrate --color-success * Migrate --color-text-dark * Migrate --color-text-light * Migrate --color-text-medium * Migrate --color-text-white * Migrate --color-white * Migrate --default-border-radius * Migrate --default-button-border-radius * Migrate --default-font-family * Migrate --default-font-size * Migrate --default-header-margin * Migrate --gap-1 * Migrate --icon-width * Migrate --input-border-color * Migrate --input-border-radius * Migrate --margin-* * Migrate --muted-color * Migrate --padding-* * Migrate --page-header-padding * Migrate --subtitle-color * Migrate --title-color * Reset to master * Remove unused --color-text-default * Remove unused --color* * Remove unused CSS custom properties * Prefix only necessary CSS custom properties * Fix Dispatch type (#41631) * Fix Dispatch type * Fix typing * Fix types * [Feature branch] Split data access and query builder access (#41581) Co-authored-by: Noah Moss <noahbmoss@gmail.com> Co-authored-by: Noah Moss <32746338+noahmoss@users.noreply.github.com> Co-authored-by: Nick Fitzpatrick <nick@metabase.com> Co-authored-by: John Swanson <john.swanson@metabase.com> Co-authored-by: Sloan Sparger <sloansparger@users.noreply.github.com> Co-authored-by: Sloan Sparger <sloansparger@gmail.com> * Re-wire the `Groups` entity to use RTK Query under the hood (#41480) * Delete unused endpoint from `PermissionsApi` * Add group tag helpers * Define RTK Query 5 main endpoints for `permissionApi` (group) * Re-wire 5 main api methods in groups entity to work with RTK Query * Re-wire `clearMember` action to work with RTK Query * Add `Groups.api.update` * Update types * Fix membership failing to update after `CREATE_MEMBERSHIP` * Make sure `members` is not undefined * Fix cache invalidation * Use dbname from database details instead of stats returned from Mongo (#41549) * Use dbname from details instead of from stats * Add mongo sharded cluster CI job * add withUndos option to renderWithProviders to render Undos during … (#41576) * Account for non-hydrated properties in GET /api/dashboard (#41622) * Account for non-hydrated properties in GET /api/dashboard * Fix provideTags --------- Co-authored-by: Nemanja <31325167+nemanjaglumac@users.noreply.github.com> * [docs] Revise Okta SAML docs (#41493) * okta docs * clarifying group mapping methods * links * Apply suggestions from code review Co-authored-by: Jeff Bruemmer <jeff.bruemmer@gmail.com> * review feedback * Typo --------- Co-authored-by: Jeff Bruemmer <jeff.bruemmer@gmail.com> * Remove defaultauthdb portion of mongo connection string (#41553) * Reset mapping after change of operator for native questions (#41615) * Reset mapping after change of operator for native questions * Add a basic test * Better name for a test * Add a new migration to clean up deprecated perm types (#41649) * [QP, lib] Add new expression functions for host, domain, subdomain (#41540) These functions are implemented with hairy regular expressions, and it's more user-friendly and future-proof to name those functions in MBQL rather than baking the `regexextract` and regex into the user's query. It lets us evolve the regexes in the future if we detect a bug, and it improves the UX since the user sees a meaningful function instead of regexextract([My URL Column], "(?<=[@\.])(?!www\.)[^@\.]+(?=\.[^@\.]{1,3}\.[^@\.]+$|\.[^@\.]+$)") Also refactors the regexes somewhat so that they work for emails as well as URLs, and there's always just one layer of `:regex-match-first`. Previously this was separated into two steps: URL or email to host, and host to (sub)domain. Part of the follow-up for Extract Column epic #38964. * New default DB permissions (#40869) * Re-wire the `Revisions` entity to use RTK Query under the hood (#41558) * Add RTK Query `revision` API * Re-wire `Revisions` entity `list` to work with RTK Query * Re-wire the `Revisions` entity `revert` to work with RTK Query * Rename 'mac' alias to 'macaw' (#41680) * Fix not sending necessary HTTP headers when downloading results (#41633) * Fix not sending necessary HTTP headers when downloading results * Fix fail E2E tests * Add E2E test * Fix failed tests * Fix unit tests * Fix download on subpath * Fix unit tests for subpath * Re-wire the `Snippets` entity to use RTK Query under the hood (#41656) * Throw for `Snippets.api.delete` * Add boilerplate `snippet` RTK API * Add boilerplate RTK-compatibility layer for main `Snippets.api` endpoints * Add types * Add cache invalidation * add validated migration checksums 45 46 47 and 48 (#41662) * Modify JWT session token logic to use immediate return value from action (#41694) * Port six collection-related components to TypeScript (#41632) BaseItemsTable BaseTableItem BulkActions CollectionContentView CollectionCopyEntityModal ItemsTable * [tech debt] Stop using ms/BooleanString and only use ms/BooleanValue (#41390) * [tech debt] Stop using ms/BooleanString and only use ms/BooleanValue ms/BooleanString will coerce to a string, and we should probably get rid of it and only ever use ms/BooleanValue which will always coerce to a boolean We want the coercion layer to give us values that are helpful, and true is more helpful than "true". So we should remove ms/BooleanString and calls to parseBoolean * Remove ms/BooleanString usage in api/native_query_snippet.clj * Remove test case related to ms/BooleanString * Remove the BooleanString schema def as no longer used * Dates Binned by Week Export Formatting Matches App (#41619) * Dates Binned by Week Export Formatting Matches App Fixes: #41492 Before, the dates binned by week would be formatted as follows in CSV and JSON exports: `Week 1 - 2024` But that doesn't match the App's format of a Date Range: `January 1, 2024 - January 7, 2024` So, now the exports will apply formatting in this same way. Note that a second bug (#41616) exists on the Frontend preventing the column formatting being applied in the app. This is frontend only, and the csv and json exports will match the column formatting settings (eg. abbreviated dates and alternative separators will be used in the export). * add test and change default week style * Week format test change * also fix incorrect :hour formatting * New default permissions for groups (#41323) * Add dynamic fonts to embedding SDK (#41179) * Fix TippyPopover default text color not visible after migration (#41716) * Use the proper case for a "year" token format (#41715) * Use proper case for year date format Fixes #40493 * Add regression test for specific filters in different locales * Actually use the locale * Note the format_rows changes in the api changelog (#41268) * Improve test coverage for describe-fks and describe-fields (#41528) * Exclude internal content from admin checklist and usage stats (#41697) * Replace `isLoggedIn` and `isInitialized` with `LoginStatus` (#41637) * move cache business logic to model from api (#41677) * Migrate Entity Copy Modal away from EntityForm (#41534) * CopyQuestionForm * CopyDashboardForm * inital values adjustment, e2e tests * FormObserver * Remove unused `monospaceText` prop (#41721) * Remove unused function (#41720) * Be more consistent with borders and avoid double borders (#41565) * Be more consistent with borders and avoid double borders * Mark the aggregation 'Custom Expression' button as an action * Remove color from action headers * Remove bottom border from last child * Remove top border from first child * Make section header classes consistent * Add border to search header * Use correct color for borders * Add props to enable borders in AccordionList * Add borders to column picker elements * dont use buildjet for e2e or frontend tests (#41733) * dont use buildjet for e2e * dont use buildjet for frontend either --------- Co-authored-by: Uladzimir Havenchyk <125459446+uladzimirdev@users.noreply.github.com> Co-authored-by: Oisin Coveney <oisin@metabase.com> Co-authored-by: Mahatthana (Kelvin) Nomsawadi <me@bboykelvin.dev> Co-authored-by: Kamil Mielnik <kamil@kamilmielnik.com> Co-authored-by: Noah Moss <32746338+noahmoss@users.noreply.github.com> Co-authored-by: Noah Moss <noahbmoss@gmail.com> Co-authored-by: Nick Fitzpatrick <nick@metabase.com> Co-authored-by: John Swanson <john.swanson@metabase.com> Co-authored-by: Sloan Sparger <sloansparger@users.noreply.github.com> Co-authored-by: Sloan Sparger <sloansparger@gmail.com> Co-authored-by: Nemanja Glumac <31325167+nemanjaglumac@users.noreply.github.com> Co-authored-by: lbrdnk <lbrdnk@users.noreply.github.com> Co-authored-by: Nicolò Pretto <info@npretto.com> Co-authored-by: Alex Yarosh <alexandra@metabase.com> Co-authored-by: Jeff Bruemmer <jeff.bruemmer@gmail.com> Co-authored-by: Braden Shepherdson <braden@metabase.com> Co-authored-by: Tim Macdonald <tim@metabase.com> Co-authored-by: bryan <bryan.maass@gmail.com> Co-authored-by: Raphael Krut-Landau <raphael.kl@gmail.com> Co-authored-by: A. Marius Rabenarivo <mariusrabenarivo@gmail.com> Co-authored-by: adam-james <21064735+adam-james-v@users.noreply.github.com> Co-authored-by: Cal Herries <39073188+calherries@users.noreply.github.com> Co-authored-by: Alexander Solovyov <alexander@solovyov.net> Co-authored-by: Romeo Van Snick <romeo@romeovansnick.be> Co-authored-by: Ryan Laurie <30528226+iethree@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #39848
Related to #18823
Description
This fix the problem where users logged in via Google SSO couldn't download question results. This was because we call
fetchdirectly without passing the proper CSRF header which is required when we authenticate withmetabase.EMBEDDED_SESSIONcookie like Google SSO in this case. That is why we got 401 in the response.How to verify
Follow the repro steps in Google SSO with Interactive Embedding do not allow you to download CSV #39848
Ensure Fix download full results link for embedded and public questions is still working
To set up subpath. Use https://github.com/WiNloSt/metabase-subpath. The instruction is already in the repo.
Checklist