You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2020/02/26 11:58:05 UTC
[GitHub] [incubator-superset] dpgaspar opened a new pull request #9205:
Fix/csrf api
dpgaspar opened a new pull request #9205: Fix/csrf api
URL: https://github.com/apache/incubator-superset/pull/9205
### CATEGORY
Choose one
- [ ] Bug Fix
- [X] Enhancement (new features, refinement)
- [ ] Refactor
- [ ] Add tests
- [ ] Build / Development Environment
- [ ] Documentation
### SUMMARY
Enables CSRF on the new REST API by default. Uses Flask-WTF CSRF protection.
Thank you @nytai for helping out on the frontend side.
### ADDITIONAL INFORMATION
- [ ] Has associated issue:
- [ ] Changes UI
- [ ] Requires DB Migration.
- [ ] Confirm DB Migration upgrade and downgrade tested.
- [ ] Introduces new feature or API
- [ ] Removes existing feature or API
### REVIEWERS
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] nytai edited a comment on issue #9205: [api]
enable CSRF by default
Posted by GitBox <gi...@apache.org>.
nytai edited a comment on issue #9205: [api] enable CSRF by default
URL: https://github.com/apache/incubator-superset/pull/9205#issuecomment-591598042
@etr2460 Given that FAB/superset supports multiple auth methods there are multiple library's for handling csrf protection on the backend. The one that's on by default is provided by [Flask-WTF](https://flask-wtf.readthedocs.io/en/stable/), this is the one currently used when username/pw auth is configured. When using flask-wtf the csrf if provided via a jinja function (meant to be inserted in the DOM). When using [flask-jwt-extended](https://flask-jwt-extended.readthedocs.io/en/stable/) the csrf if provided in a cookie and it should match what's in the jwt payload.
This PR adds functionality to default to using the CSRF token provided by flask-wtf, however if that is disabled (via a config flag) and doesn't exist in the DOM, then we check the presence of the token in the cookie. This allows for both methods of checking CSRF. If both methods are enabled (they shouldn't be) then it'll default to flask-wtf token.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] nytai edited a comment on issue #9205: [api]
enable CSRF by default
Posted by GitBox <gi...@apache.org>.
nytai edited a comment on issue #9205: [api] enable CSRF by default
URL: https://github.com/apache/incubator-superset/pull/9205#issuecomment-591598042
@etr2460 Given that FAB/superset supports multiple auth methods there are multiple library's for handling csrf protection on the backend. The one that's on by default is provided by [Flask-WTF](https://flask-wtf.readthedocs.io/en/stable/), this is the one currently used when username/pw auth is configured. When using flask-wtf the csrf if provided via a jinja function (meant to be inserted in the DOM). When using [flask-jwt-extended](https://flask-jwt-extended.readthedocs.io/en/stable/) the csrf if provided in a cookie and it should match what's in the jwt payload.
This PR adds functionality to default to using the CSRF token provided by flask-wtf, however if that is disabled (via a config flag) then we check the presence of the token in the cookie. This allows for both methods of checking CSRF. If both methods are enabled (they shouldn't be) then it'll default to flask-wtf token.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] nytai commented on issue #9205: [api] enable
CSRF by default
Posted by GitBox <gi...@apache.org>.
nytai commented on issue #9205: [api] enable CSRF by default
URL: https://github.com/apache/incubator-superset/pull/9205#issuecomment-591598042
@etr2460 Given that FAB/superset supports multiple auth methods there are multiple library's for handling csrf protection on the backend. The one that's on by default is provided by [Flask-WTF](https://flask-wtf.readthedocs.io/en/stable/), this is the one currently used when username/pw auth is configured. When using flask-wtf the csrf if provided via a jinja function (meant to be inserted in the DOM). When using [flask-jwt-extended](https://flask-jwt-extended.readthedocs.io/en/stable/) the csrf if provided in a cooke and it should match what's in the jwt payload.
This PR adds functionality to default to using the CSRF token provided by flask-wtf, however if that is disabled (via a config flag) then we check the presence of the token in the cookie. This allows for both methods of checking CSRF. If both methods are enabled (they shouldn't be) then it'll default to flask-wtf token.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] dpgaspar merged pull request #9205: [api]
enable CSRF by default
Posted by GitBox <gi...@apache.org>.
dpgaspar merged pull request #9205: [api] enable CSRF by default
URL: https://github.com/apache/incubator-superset/pull/9205
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org