[Embedding SDK] Getting 403 when retrieving Guest Token

[loretoparisi]

This is my customisation of the superset_config.py

# CSRF COOKIE
CSRF_COOKIE_HTTPONLY = False
# not required when running in reverse-proxy mode.
WTF_CSRF_ENABLED = False
# Add endpoints that need to be exempt from CSRF protection
WTF_CSRF_EXEMPT_LIST = [ "localhost" ]
# A CSRF token that expires in 1 year
WTF_CSRF_TIME_LIMIT = 60 * 60 * 24 * 365 

TALISMAN_ENABLED = False
TALISMAN_CONFIG = {
    "content_security_policy": {
        "default-src": ["'self'"],
        "img-src": ["'self'", "data:"],
        "worker-src": ["'self'", "blob:"],
        "connect-src": [
            "'self'",
            "https://api.mapbox.com",
            "https://events.mapbox.com",
        ],
        "object-src": "'none'",
        "style-src": ["'self'", "'unsafe-inline'"],
        "script-src": ["'self'", "'strict-dynamic'"],
    },
    "content_security_policy_nonce_in": ["script-src"],
    "force_https": False,
    "session_cookie_secure": False
}

with

#  (default: "Lax") Prevents the browser from sending this cookie along with cross-site requests.
SESSION_COOKIE_SAMESITE = None

#  (default: False): Controls if cookies should be set with the HttpOnly flag.
SESSION_COOKIE_HTTPONLY = False

#  (default: False) Browsers will only send cookies with requests over HTTPS if the cookie is marked “secure”. 
# The application must be served over HTTPS for this to make sense.
SESSION_COOKIE_SECURE = False

When I try to get the guest Token via API (cURL copied from the swagger playground example code)

curl -X 'POST' \
  'http://localhost:8088/api/v1/security/guest_token/' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer xxxxxxxxxxxxxx' \
  -H 'Content-Type: application/json' \
  -d '{
  "resources": [
    {
      "id": "xxxx-xxx-xxx-xx-xxxxxxxx",
      "type": "dashboard"
    }
  ],
  "rls": [
  ],
  "user": {
    "first_name": "guest-user",
    "last_name": "guest-user",
    "username": "guest-user"
  }
}'

I get a 403 Forbidden:

{
  "message": "Forbidden"
}

when using the playground directly it works. In fact it does not use the 'Authorization: Bearer xxxxxxxxxxxxxx' but in practice it is using a session cookie. In fact I can reproduce this in pure JavaScript:

const body = {
    "resources": [
        {
            "id": "xxxxx,
            "type": "dashboard"
        }
    ],
    "rls": [],
    "user": {
        "first_name": "guest-user",
        "last_name": "guest-user",
        "username": "guest-user"
    }
};

const headers = {
    "Content-Type": "application/json",
    "Authorization": `Bearer ${access_token}`, // not working
    //"Cookie": `session=.${session_cookie}`, // it is working!
};

console.log(body, headers);

const res = await fetch("http://localhost:8088/api/v1/security/guest_token/", {
    "headers": headers,
    "body": JSON.stringify(body),
    "method": "POST"
});
console.log(await res.json())

Using Cookie: header it works perfecty and I get back the token, while using the Bearer I'm getting the 403.

[loretoparisi]

[UPDATE]
So apparently the issue was due to missing capabilities of the Public role, specifically add the following:

* can read on Chart
* can read on Dataset
* can read on Dashboard
* can read on Database
* can write on DashboardFilterStateRestApi
* can read on DashboardfilterStateRestApi
* can dashboard on Superset
* can explore json on Superset
* can grant guest token on SecurityRestApi

fixed the 403 issue 👍🏾
Unfortunately, while I'm geting a valid token from the /guest_token/ api, I'm now getting a Guest user cannot modify chart payload that seems to be related to this PR and here. Not sure how to address this.

[AhmerAyaz]

Any updates regarding this? How can we allow users that are accessing through guest token to change the filters?