nsivarajan opened a new pull request, #31173: URL: https://github.com/apache/superset/pull/31173
### SUMMARY This PR addresses[ #30900](https://github.com/apache/superset/issues/30900), which reports a "400 Bad Request: The CSRF session token is missing" error during cache warmup. The issue was due to missing header updates with the CSRF token and cookie (expecting session='session_cookie'). This PR ensures the token is correctly fetched and included in headers during the warmup process, resolving the error. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF Success: ``` ... ... [2024-11-26 19:00:00,054: INFO/ForkPoolWorker-62] cache-warmup[cad28d1b-df9c-4800-98bd-a09ec3af5d73]: Loading strategy [2024-11-26 19:00:00,054: INFO/ForkPoolWorker-62] cache-warmup[cad28d1b-df9c-4800-98bd-a09ec3af5d73]: Loading DashboardTagsStrategy [2024-11-26 19:00:00,055: INFO/ForkPoolWorker-62] cache-warmup[cad28d1b-df9c-4800-98bd-a09ec3af5d73]: Success! [2024-11-26 19:00:00,131: INFO/ForkPoolWorker-62] fetch_url[90921f09-84a0-49ee-8b66-790864c72524]: Fetching https://sample.example.com/api/v1/security/csrf_token/ [2024-11-26 19:00:00,130: INFO/ForkPoolWorker-62] fetch_url[90921f09-84a0-49ee-8b66-790864c72524]: URL 'https://sample.example.com/api/v1/chart/warm_up_cache' is secure. Adding Referer header. [2024-11-26 19:00:00,207: INFO/ForkPoolWorker-62] fetch_url[90921f09-84a0-49ee-8b66-790864c72524]: Fetching https://sample.example.com/api/v1/chart/warm_up_cache with payload {"chart_id": 1} [2024-11-26 19:00:00,593: INFO/ForkPoolWorker-62] fetch_url[90921f09-84a0-49ee-8b66-790864c72524]: Fetched https://sample.example.com/api/v1/chart/warm_up_cache with payload {"chart_id": 1}, status code: 200 .... .... [2024-11-27 01:00:00,015: INFO/ForkPoolWorker-16] cache-warmup[35eba83f-4d8a-420c-9965-2a4a0411c891]: Loading strategy [2024-11-27 01:00:00,016: INFO/ForkPoolWorker-16] cache-warmup[35eba83f-4d8a-420c-9965-2a4a0411c891]: Loading DashboardTagsStrategy [2024-11-27 01:00:00,016: INFO/ForkPoolWorker-16] cache-warmup[35eba83f-4d8a-420c-9965-2a4a0411c891]: Success! [2024-11-27 01:00:00,091: INFO/ForkPoolWorker-64] fetch_url[e9a5874d-0123-4d9b-8919-48b3bddd9ece]: Fetching https://sample.example.com/api/v1/security/csrf_token/ [2024-11-27 01:00:00,090: INFO/ForkPoolWorker-64] fetch_url[e9a5874d-0123-4d9b-8919-48b3bddd9ece]: URL 'https://sample.example.com/api/v1/chart/warm_up_cache' is secure. Adding Referer header. [2024-11-27 01:00:00,163: INFO/ForkPoolWorker-64] fetch_url[e9a5874d-0123-4d9b-8919-48b3bddd9ece]: Fetching https://sample.example.com/api/v1/chart/warm_up_cache with payload {"chart_id": 1} [2024-11-27 01:00:00,548: INFO/ForkPoolWorker-64] fetch_url[e9a5874d-0123-4d9b-8919-48b3bddd9ece]: Fetched https://sample.example.com/api/v1/chart/warm_up_cache with payload {"chart_id": 1}, status code: 200 ... ``` ### TESTING INSTRUCTIONS Since we are now explicitly fetching the CSRF token, we can enable `WTF_CSRF_ENABLED = True` or safely remove `WTF_CSRF_EXEMPT_LIST` for any cache warmup-related endpoints. This ensures that all requests, including those for cache warmup, are properly validated with CSRF protection, thereby enhancing application security. If CSRF protection is disabled or the endpoint is exempted, no CSRF checks will be performed. However, the `ChartRestApi.warm_up_cache` endpoint still requires a session cookie (`session=session_cookie`) to determine the user's context and permissions. Without this, the request will fail with a `401 Unauthorized error`. This PR ensures the session cookie is correctly updated in the request headers under the Cookie field, enabling the user context to be accurately resolved for authorization. ### ADDITIONAL INFORMATION <!--- Check any relevant boxes with "x" --> <!--- HINT: Include "Fixes #nnn" if you are fixing an existing issue --> - [x] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [ ] Migration is atomic, supports rollback & is backwards-compatible - [ ] Confirm DB migration upgrade and downgrade tested - [ ] Runtime estimates and downtime expectations provided - [ ] Introduces new feature or API - [ ] Removes existing feature or API -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
