You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by "sazary (via GitHub)" <gi...@apache.org> on 2023/02/02 02:10:05 UTC
[GitHub] [superset] sazary commented on issue #19525: Cannot autheticate on API. Get the tokens (JWT and csrf) but all responses are "401"
sazary commented on issue #19525:
URL: https://github.com/apache/superset/issues/19525#issuecomment-1413050293
I think i'm experiencing the same issue with superset `2.0.1`.
this is the script that I run to get jwt token, csrf token, and finally get my user's info:
```js
const base_url = "https://<server_addr>/api/v1/";
async function get_csrf_token(access_token) {
const res = await fetch(base_url + "security/csrf_token", {
headers: {
"Content-Type": "application/json",
Authorization: "Bearer " + access_token,
},
method: "GET",
});
const complete_res = await res.json();
return complete_res.result;
}
async function login() {
const res = await fetch(base_url + "security/login", {
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify({
username: "user",
password: "pass",
provider: "db",
refresh: true,
}),
method: "POST",
});
const complete_res = await res.json();
return complete_res.access_token;
}
async function get_me(access_token, csrf_token) {
const res = await fetch(base_url + "me", {
credentials: "same-origin",
headers: {
"Content-Type": "application/json",
Authorization: "Bearer " + access_token,
"X-CSRFToken": csrf_token,
},
method: "GET",
});
return await res.json();
}
(async () => {
const access_token = await login();
console.log("res is ", access_token);
const csrf_token = await get_csrf_token(access_token);
console.log("res is ", csrf_token);
const me_res = await get_me(access_token, csrf_token);
console.log("me is ", me_res);
})();
```
when I run the script the result is:
```shell
$ node ./superset_api_test.js
res is <jwt token>
res is <csrf token>
me is { message: 'Not authorized' }
```
and I think @raghulprashath is right. lines 35-63 of `get_me` method of `superset.views.users.api.CurrentUserRestApi` are like:
```python
@expose("/", methods=["GET"])
@safe
def get_me(self) -> Response:
"""Get the user object corresponding to the agent making the request
---
get:
description: >-
Returns the user object corresponding to the agent making the request,
or returns a 401 error if the user is unauthenticated.
responses:
200:
description: The current user
content:
application/json:
schema:
type: object
properties:
result:
$ref: '#/components/schemas/UserResponseSchema'
401:
$ref: '#/components/responses/401'
"""
try:
if g.user is None or g.user.is_anonymous:
return self.response_401()
except NoAuthorizationError:
return self.response_401()
return self.response(200, result=user_response_schema.dump(g.user))
```
i can confirm that the same workflow works totally fine for version `1.2.0`, albeit on a view other than `/me`
versions:
```
superset: 2.0.1
python: 3.8.16
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org