You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2022/01/17 05:59:13 UTC
[GitHub] [superset] zedlauzy opened a new issue #18062: Calling POST REST APIs (nodejs axios) will result to "The CSRF session token is missing"
zedlauzy opened a new issue #18062:
URL: https://github.com/apache/superset/issues/18062
Hello there, I am unable to do any POST api calls (import_dashboard) as it will lead to the 400 error `The CSRF session token is missing` using nodejs & axios. I do not wish to exempt these APIs in `WTF_CSRF_EXEMPT_LIST` if it is possible.
**Steps to Reproduce:**
1) In my nodejs app, I have this axios setup where it imports dashboard via `importContent`:
```
const config = {
headers: {
'X-CSRFToken': await this.getCsrfToken(),
'Authorization': `Bearer ${await this.getAccessToken()}`
}
}
private async getAccessToken(): Promise<string> {
const loginRequest = this.createLoginRequest()
const response = await axios.post(`${this.baseURL}api/v1/security/login`, loginRequest)
return response.data['access_token']
}
private async getCsrfToken(): Promise<string> {
const token = `Bearer ${await this.getAccessToken()}`
const options: AxiosRequestConfig = {
headers: {
Authorization: token
}
}
const url = `${this.baseURL}api/v1/security/csrf_token`
const response = await axios.get(url, options)
return response.data['result']
}
async importContent(contentType: string, filePath: string, overwrite: boolean): Promise<any> {
const formData = new FormData()
formData.append('formData', fs.createReadStream(filePath))
formData.append('overwrite', String(overwrite))
const options = {
headers: {
Authorization: `Bearer ${await this.getAccessToken()}`,
'X-CSRFToken': await this.getCsrfToken(),
...formData.getHeaders()
}
}
const url = `${this.baseURL}api/v1/${contentType}/import/`
const response = await axios.post(url, formData, options)
if (response.data) {
return response
}
}
```
2) I am sure the code is working fine as I have tried it with `WTF_CSRF_EXEMPT_LIST` having the import_dashboard api
3) It only goes wrong when I remove it from `WTF_CSRF_EXEMPT_LIST`. I also have verified via Postman with the similar request I have below is working:
```
Headers: {
Authorization: 'Bearer {token}',
X-CSRFToken: {csrfToken}
}
form-data: {
formData: {uploadedFile}
}
```
**Actual Result:**
Getting `The CSRF session token is missing` error
**Expected Result:**
Importing dashboard via REST API call should work as expected
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org