[GitHub] [incubator-superset] nytai commented on issue #9205: [api] enable CSRF by default

[GitBox <gi...@apache.org>]

nytai commented on issue #9205: [api] enable CSRF by default
URL: https://github.com/apache/incubator-superset/pull/9205#issuecomment-591598042
 
 
   @etr2460 Given that FAB/superset supports multiple auth methods there are multiple library's for handling csrf protection on the backend. The one that's on by default is provided by [Flask-WTF](https://flask-wtf.readthedocs.io/en/stable/), this is the one currently used when username/pw auth is configured. When using flask-wtf the csrf if provided via a jinja function (meant to be inserted in the DOM). When using  [flask-jwt-extended](https://flask-jwt-extended.readthedocs.io/en/stable/) the csrf if provided in a cooke and it should match what's in the jwt payload. 
   
   This PR adds functionality to default to using the CSRF token provided by flask-wtf, however if that is disabled (via a config flag) then we check the presence of the token in the cookie. This allows for both methods of checking CSRF. If both methods are enabled (they shouldn't be) then it'll default to flask-wtf token. 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org