Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Even with WTF_CSRF_ENABLED = False, I still get CSRF errors #24717

Closed
havedill opened this issue Jul 17, 2023 · 12 comments
Closed

Even with WTF_CSRF_ENABLED = False, I still get CSRF errors #24717

havedill opened this issue Jul 17, 2023 · 12 comments
Assignees

Comments

@havedill
Copy link

havedill commented Jul 17, 2023

A clear and concise description of what the bug is.

How to reproduce the bug

Brand new installation, using TAG=3.0.0rc1 docker compose -f docker-compose-non-dev.yml up

I have WTF_CSRF_ENABLED = False in superset/config.py

When i try to log in as my user, i get no error page and the console logs the following:

superset_app          | During handling of the above exception, another exception occurred:
superset_app          |
superset_app          | Traceback (most recent call last):
superset_app          |   File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1821, in full_dispatch_request
superset_app          |     rv = self.preprocess_request()
superset_app          |   File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 2313, in preprocess_request
superset_app          |     rv = self.ensure_sync(before_func)()
superset_app          |   File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 229, in csrf_protect
superset_app          |     self.protect()
superset_app          |   File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 264, in protect
superset_app          |     self._error_response(e.args[0])
superset_app          |   File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 307, in _error_response
superset_app          |     raise CSRFError(reason)
superset_app          | flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF session token is missing.
superset_app          | 2023-07-17 15:56:53,862:WARNING:superset.views.base:Refresh CSRF token error
superset_app          | Traceback (most recent call last):
superset_app          |   File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 261, in protect
superset_app          |     validate_csrf(self._get_csrf_token())
superset_app          |   File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 103, in validate_csrf
superset_app          |     raise ValidationError("The CSRF session token is missing.")
superset_app          | wtforms.validators.ValidationError: The CSRF session token is missing.
superset_app          |
superset_app          | During handling of the above exception, another exception occurred:
superset_app          |
superset_app          | Traceback (most recent call last):
superset_app          |   File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1821, in full_dispatch_request
superset_app          |     rv = self.preprocess_request()
superset_app          |   File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 2313, in preprocess_request
superset_app          |     rv = self.ensure_sync(before_func)()
superset_app          |   File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 229, in csrf_protect
superset_app          |     self.protect()
superset_app          |   File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 264, in protect
superset_app          |     self._error_response(e.args[0])
superset_app          |   File "/usr/local/lib/python3.9/site-packages/flask_wtf/csrf.py", line 307, in _error_response
superset_app          |     raise CSRFError(reason)
superset_app          | flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF session token is missing.

Expected results

I would expect to be logged in

Actual results

Console simply logs an exception

Environment

(please complete the following information):

Chrome,
Windows 11 Client
Almalinux 9 - Server/Docker host
Superset 3.0.0RC1

@havedill
Copy link
Author

Switching to 2.1.1rc1, and this issue does not occur for me. Only on the 3.0.0rc1 branch I have this issue.

@rusackas rusackas added the v3.0 Label added by the release manager to track PRs to be included in the 3.0 branch label Jul 20, 2023
@lf-floriandin
Copy link

Got the same issue installing 3.0.0Rc2 with pip on Ubuntu 22.04.

@AidanHarveyNelson
Copy link

I found this in the superset repo https://github.com/apache/superset/blob/master/.github/workflows/ecs-task-definition.json

When I followed it by setting TALISMAN_ENABLED = False environment variable I was able to get superset to log me in.

@hrikken
Copy link

hrikken commented Aug 15, 2023

Same here with latest docker-compose-no-dev. Unable to log in.

@Mirieri
Copy link

Mirieri commented Aug 16, 2023

This issue seems not to have been solved, I have installed it with docker and made configuration changes on the superset_config.py file. ERROR INFO: INFO:flask_wtf.csrf: The CSRF session token is missing.

@michael-s-molina
Copy link
Member

Please check #24579. Specifically if configuring TALISMAN resolves the issue.

@snowsky
Copy link

snowsky commented Dec 28, 2023

I found this in the superset repo https://github.com/apache/superset/blob/master/.github/workflows/ecs-task-definition.json

When I followed it by setting TALISMAN_ENABLED = False environment variable I was able to get superset to log me in.

This works for me. 👍

@rusackas
Copy link
Member

Closing this since we seem to have a winning solution. Holler if this needs any revisit.

@dmuldoonadl
Copy link

I still see this when celery workers try cache warmup. Setting WTF_CSRF_ENABLED = False in superset_config.py has no effect.

@spars57
Copy link

spars57 commented May 13, 2024

I'm having the same issue on 3.10, after setting WTF_CSRF_ENABLED = False the problem remains

@rusackas
Copy link
Member

Ok... reopening... I wish I had a pointer for this one 😓

@rusackas rusackas reopened this May 13, 2024
@spars57
Copy link

spars57 commented May 14, 2024

I was able to fix it but not sure how, I think we can close this issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests