sudiptob2 commented on PR #37638:
URL: https://github.com/apache/airflow/pull/37638#issuecomment-1963024149
> Yes, it's scope. I have this now.
>
> ```
> # asgi-csrf skip_if_scope
> def skip_api_paths(scope):
> return scope["path"].startswith("/api/v1")
>
> flask_app = asgi_csrf(
> flask_app,
> signing_secret=conf.get_mandatory_value("webserver", "secret_key"),
> skip_if_scope=skip_api_paths,
> )
> ```
>
> After using asgi_csrf, I get a different error. `RuntimeError: A secret
key is required to use CSRF. INFO: "POST
/api/v1/dags/exmple_bash_operator/dagRuns HTTP/1.1"` instead of something like
`CSRF token is missing` on the same endpoint.
>
> I hope I'm in the right direction to solve the issue. Here is [my pull
request](https://github.com/sudiptob2/airflow/pull/3) to Sudipto's forked repo.
It is possible to avoid this error using the following tweak for the time
being. asgi-csrf looks for `SECRET_KEY` variable to be set. But it still does
not solve the problem of missing `CSRF` token. In my opinion, it wont be this
simple to add `asgi_csrf` middleware.
```python3
# asgi-csrf skip_if_scope
flask_app.config['SECRET_KEY'] = conf.get_mandatory_value("webserver",
"secret_key")
def skip_api_paths(scope):
return scope["path"].startswith("/api/v1")
asgi_csrf(
flask_app,
signing_secret=conf.get_mandatory_value("webserver", "secret_key"),
skip_if_scope=skip_api_paths,
)
```
@potiuk
Can we get a demo/explanation session in the next meeting regarding how the
CSRF protection works in airflow, especially in the context of this PR?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
