[superset] branch master updated: fix: Revert enable strong session protection by default (#24256) (#24545)

[mi...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

michaelsmolina pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/superset.git


The following commit(s) were added to refs/heads/master by this push:
     new cdbe4f3fa7 fix: Revert enable strong session protection by default (#24256) (#24545)
cdbe4f3fa7 is described below

commit cdbe4f3fa7e33f7972a9e3f7721e1b2308de9287
Author: Michael S. Molina <70...@users.noreply.github.com>
AuthorDate: Wed Jun 28 13:35:44 2023 -0300

    fix: Revert enable strong session protection by default (#24256) (#24545)
---
 UPDATING.md            |  1 -
 docs/docs/security.mdx | 21 ++++++++-------------
 superset/config.py     |  2 --
 3 files changed, 8 insertions(+), 16 deletions(-)

diff --git a/UPDATING.md b/UPDATING.md
index 41a120f310..cf608e9fd5 100644
--- a/UPDATING.md
+++ b/UPDATING.md
@@ -26,7 +26,6 @@ assists people when migrating to a new version.
 
 - [24335](https://github.com/apache/superset/pull/24335): Removed deprecated API `/superset/filter/<datasource_type>/<int:datasource_id>/<column>/`
 - [24185](https://github.com/apache/superset/pull/24185): `/api/v1/database/test_connection` and `api/v1/database/validate_parameters` permissions changed from `can_read` to `can_write`. Only Admin user's have access.
-- [24256](https://github.com/apache/superset/pull/24256): `Flask-Login` session validation is now set to `strong` by default. Previous setting was `basic`.
 - [24232](https://github.com/apache/superset/pull/24232): Enables ENABLE_TEMPLATE_REMOVE_FILTERS, DRILL_TO_DETAIL, DASHBOARD_CROSS_FILTERS by default, marks VERSIONED_EXPORT and ENABLE_TEMPLATE_REMOVE_FILTERS as deprecated.
 - [23652](https://github.com/apache/superset/pull/23652): Enables GENERIC_CHART_AXES feature flag by default.
 - [23226](https://github.com/apache/superset/pull/23226): Migrated endpoint `/estimate_query_cost/<int:database_id>` to `/api/v1/sqllab/estimate/`. Corresponding permissions are can estimate query cost on SQLLab. Make sure you add/replace the necessary permissions on any custom roles you may have.
diff --git a/docs/docs/security.mdx b/docs/docs/security.mdx
index 56e058e581..a81149afb5 100644
--- a/docs/docs/security.mdx
+++ b/docs/docs/security.mdx
@@ -157,11 +157,6 @@ HTTPS if the cookie is marked “secure”. The application must be served over
 
 `PERMANENT_SESSION_LIFETIME`: (default: "31 days") The lifetime of a permanent session as a `datetime.timedelta` object.
 
-- Relevant Flask-Login settings:
-
-`SESSION_PROTECTION`: The method used to protect the session from being stolen. [Documentation](https://flask-login.readthedocs.io/en/latest/#session-protection)
-Default: "strong"
-
 ### Content Security Policy (CSP)
 
 Superset uses the [Talisman](https://pypi.org/project/flask-talisman/) extension to enable implementation of a
@@ -182,29 +177,29 @@ It's extremely important to correctly configure a Content Security Policy when d
 prevent many types of attacks. Superset provides two variables in `config.py` for deploying a CSP:
 
 - `TALISMAN_ENABLED` defaults to `False`; set this to `True` in order to implement a CSP
-- `TALISMAN_CONFIG` holds the actual the policy definition (*see example below*) as well as any
-other arguments to be passed to Talisman.
+- `TALISMAN_CONFIG` holds the actual the policy definition (_see example below_) as well as any
+  other arguments to be passed to Talisman.
 
 When running in production mode, Superset will check at startup for the presence
-of a CSP.  If one is not found, it will issue a warning with the security risks. For environments
+of a CSP. If one is not found, it will issue a warning with the security risks. For environments
 where CSP policies are defined outside of Superset using other software, administrators can disable
 this warning using the `CONTENT_SECURITY_POLICY_WARNING` key in `config.py`.
 
 #### CSP Requirements
 
-* Superset needs both the `'unsafe-eval'` and `'unsafe-inline'` CSP keywords in order to operate.
+- Superset needs both the `'unsafe-eval'` and `'unsafe-inline'` CSP keywords in order to operate.
 
   ```
   default-src 'self' 'unsafe-eval' 'unsafe-inline'
   ```
 
-* Some dashboards load images using data URIs and require `data:` in their `img-src`
+- Some dashboards load images using data URIs and require `data:` in their `img-src`
 
   ```
   img-src 'self' data:
   ```
 
-* MapBox charts use workers and need to connect to MapBox servers in addition to the Superset origin
+- MapBox charts use workers and need to connect to MapBox servers in addition to the Superset origin
 
   ```
   worker-src 'self' blob:
@@ -231,12 +226,12 @@ TALISMAN_CONFIG = {
 
 Setting `TALISMAN_ENABLED = True` will invoke Talisman's protection with its default arguments,
 of which `content_security_policy` is only one. Those can be found in the
-[Talisman documentation](https://pypi.org/project/flask-talisman/) under *Options*.
+[Talisman documentation](https://pypi.org/project/flask-talisman/) under _Options_.
 These generally improve security, but administrators should be aware of their existence.
 
 In particular, the default option of `force_https = True` may break Superset's Alerts & Reports
 if workers are configured to access charts via a `WEBDRIVER_BASEURL` beginning
-with `http://`.  As long as a Superset deployment enforces https upstream, e.g.,
+with `http://`. As long as a Superset deployment enforces https upstream, e.g.,
 through a loader balancer or application gateway, it should be acceptable to set this
 option to `False`, like this:
 
diff --git a/superset/config.py b/superset/config.py
index d62003991a..b880acf5a7 100644
--- a/superset/config.py
+++ b/superset/config.py
@@ -1380,8 +1380,6 @@ TALISMAN_CONFIG = {
 SESSION_COOKIE_HTTPONLY = True  # Prevent cookie from being read by frontend JS?
 SESSION_COOKIE_SECURE = False  # Prevent cookie from being transmitted over non-tls?
 SESSION_COOKIE_SAMESITE: Literal["None", "Lax", "Strict"] | None = "Lax"
-# Accepts None, "basic" and "strong", more details on: https://flask-login.readthedocs.io/en/latest/#session-protection
-SESSION_PROTECTION = "strong"
 
 # Cache static resources.
 SEND_FILE_MAX_AGE_DEFAULT = int(timedelta(days=365).total_seconds())