dosubot[bot] commented on issue #37753: URL: https://github.com/apache/superset/issues/37753#issuecomment-3861057479
<!-- Answer --> Here are the most likely causes and next steps for your persistent "JWT not present" websocket error, now that your secrets/configs are confirmed correct: 1. **Check if the async-token cookie is set in your browser**: In the browser dev tools (Application/Storage tab), look for a cookie named `async-token` for your Superset domain after logging in. If it's missing, Superset isn't setting it, likely due to cookie attribute issues. 2. **Cookie attributes can prevent the cookie from being set or sent**: The async-token cookie is set by Superset with attributes like `httponly=True`, `secure` (from `GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SECURE`), `domain` (from `GLOBAL_ASYNC_QUERIES_JWT_COOKIE_DOMAIN`), and `samesite` (from `GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SAMESITE`). If, for example, `secure=True` but you're accessing over HTTP, or the domain is set incorrectly, the browser will silently drop the cookie and it won't be sent to the websocket server. SameSite restrictions can also block the cookie in cross-origin scenarios. See the relevant code and config options [here](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/async_events/async_query_manager.py#L134-L195). Try explicitly setting these in your `superset_config_docker.py`: ```python GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SECURE = True # if using HTTPS GLOBAL_ASYNC_QUERIES_JWT_COOKIE_DOMAIN = "subdomain.domain.com" # match your domain GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SAMESITE = "None" # for cross-origin websocket ``` 3. **WebSocket URL and hostname must match**: The websocket server and the main Superset app must run on the same hostname (even if on different ports) for cookies to be sent during the handshake. If you use HTTPS, the websocket URL must be `wss://` and the domain must match exactly (no mixing localhost/127.0.0.1/custom domains) [reference](https://github.com/apache/superset/discussions/33583). 4. **Check the WebSocket handshake in the browser**: In the Network tab, filter by "WS", click the failed websocket request, and check the "Request Headers" for a `Cookie` header containing `async-token`. If it's missing, the browser isn't sending it—likely due to the issues above. 5. **Content Security Policy (CSP) can block the connection**: If you have a CSP, ensure your websocket URL is included in the `connect-src` directive in `TALISMAN_CONFIG` in your Superset config [reference](https://github.com/apache/superset/issues/35340). 6. **Nginx must forward cookies and upgrade headers**: Your nginx config looks correct, but double-check that `/ws` is being proxied to the websocket backend and that no subpath or prefix is being added or stripped incorrectly [reference](https://github.com/apache/superset/issues/34773). If you follow these steps and still see the error, please check if the async-token cookie is ever set in your browser and whether it appears in the websocket handshake request. That will pinpoint whether the issue is with cookie creation, browser policy, or proxying. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/76aad43f-d786-4f47-8ace-141e03b39f1c?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/76aad43f-d786-4f47-8ace-141e03b39f1c?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/76aad43f-d786-4f47-8ace-141e03b39f1c?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/76aad43f-d786-4f47-8ace-141e03b39f1c?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/76aad43f-d786-4f47-8ace-141e03b39f1c?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/76aad43f-d786-4f47-8ace-141e03b39f1c?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/76aad43f-d786-4f47-8ace-141e03b39f1c?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=Here%20are%20the%20most%20likely%20causes%20and%20next%20steps%20for%20your%20persistent%20%22JWT%20not%20present%22%20websocket%20error%2C%20now%20that%20your%20secrets/configs%20are%20confirmed%20correct%3A%0A%0A1.%20%2A%2ACheck%20if%20the%20async-token%20cookie%20is%20set%20in%20your%20browser%2A%2A%3A%20In%20the%20browser%20dev%20tools%20%28Application/Storage%20tab%29%2C%20look%20for%20a%20cookie%20named%20%60async-token%60%20for%20your%20Superset%20domain%20after%20logging%20in.%20If%20it%27s%20missing%2C%20Superset%20isn%27t%20setting%20it%2C%20likely%20due%20to%20cookie%20attribute%20issues.%0A%0A2.%20%2A%2ACookie%20attributes%20can%20prevent%20the%20cookie%20from%20being%20set%20or%20sent%2A%2A%3A%20The%20async-token%20cookie%20is%20set%20 by%20Superset%20with%20attributes%20like%20%60httponly%3DTrue%60%2C%20%60secure%60%20%28from%20%60GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SECURE%60%29%2C%20%60domain%60%20%28from%20%60GLOBAL_ASYNC_QUERIES_JWT_COOKIE_DOMAIN%60%29%2C%20and%20%60samesite%60%20%28from%20%60GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SAMESITE%60%29.%20If%2C%20for%20example%2C%20%60secure%3DTrue%60%20but%20you%27re%20accessing%20over%20HTTP%2C%20or%20the%20domain%20is%20set%20incorrectly%2C%20the%20browser%20will%20silently%20drop%20the%20cookie%20and%20it%20won%27t%20be%20sent%20to%20the%20websocket%20server.%20SameSite%20restrictions%20can%20also%20block%20the%20cookie%20in%20cross-origin%20scenarios.%20See%20the%20relevant%20code%20and%20config%20options%20%5Bhere%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/async_events/async_query_manager.py%23L134-L195%29.%0A%0A%20%20%20Try%20explicitly%20setting%20these%20in%20your%20%60superset_config_docker.py%60%3A%0A%20%20%20%60% 60%60python%0A%20%20%20GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SECURE%20%3D%20True%20%20%23%20if%20using%20HTTPS%0A%20%20%20GLOBAL_ASYNC_QUERIES_JWT_COOKIE_DOMAIN%20%3D%20%22subdomain.domain.com%22%20%20%23%20match%20your%20domain%0A%20%20%20GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SAMESITE%20%3D%20%22None%22%20%20%23%20for%20cross-origin%20websocket%0A%20%20%20%60%60%60%0A%0A3.%20%2A%2AWebSocket%20URL%20and%20hostname%20must%20match%2A%2A%3A%20The%20websocket%20server%20and%20the%20main%20Superset%20app%20must%20run%20on%20the%20same%20hostname%20%28even%20if%20on%20different%20ports%29%20for%20cookies%20to%20be%20sent%20during%20the%20handshake.%20If%20you%20use%20HTTPS%2C%20the%20websocket%20URL%20must%20be%20%60wss%3A//%60%20and%20the%20domain%20must%20match%20exactly%20%28no%20mixing%20localhost/127.0.0.1/custom%20domains%29%20%5Breference%5D%28https%3A//github.com/apache/superset/discussions/33583%29.%0A%0A4.%20%2A%2ACheck%20the%20WebSocket%20handshake%20in%20the%20browser%2A%2A%3A%20In%20the% 20Network%20tab%2C%20filter%20by%20%22WS%22%2C%20click%20the%20failed%20websocket%20request%2C%20and%20check%20the%20%22Request%20Headers%22%20for%20a%20%60Cookie%60%20header%20containing%20%60async-token%60.%20If%20it%27s%20missing%2C%20the%20browser%20isn%27t%20sending%20it%E2%80%94likely%20due%20to%20the%20issues%20above.%0A%0A5.%20%2A%2AContent%20Security%20Policy%20%28CSP%29%20can%20block%20the%20connection%2A%2A%3A%20If%20you%20have%20a%20CSP%2C%20ensure%20your%20websocket%20URL%20is%20included%20in%20the%20%60connect-src%60%20directive%20in%20%60TALISMAN_CONFIG%60%20in%20your%20Superset%20config%20%5Breference%5D%28https%3A//github.com/apache/superset/issues/35340%29.%0A%0A6.%20%2A%2ANginx%20must%20forward%20cookies%20and%20upgrade%20headers%2A%2A%3A%20Your%20nginx%20config%20looks%20correct%2C%20but%20double-check%20that%20%60/ws%60%20is%20being%20proxied%20to%20the%20websocket%20backend%20and%20that%20no%20subpath%20or%20prefix%20is%20being%20added%20or%20stripped%20incorre ctly%20%5Breference%5D%28https%3A//github.com/apache/superset/issues/34773%29.%0A%0AIf%20you%20follow%20these%20steps%20and%20still%20see%20the%20error%2C%20please%20check%20if%20the%20async-token%20cookie%20is%20ever%20set%20in%20your%20browser%20and%20whether%20it%20appears%20in%20the%20websocket%20handshake%20request.%20That%20will%20pinpoint%20whether%20the%20issue%20is%20with%20cookie%20creation%2C%20browser%20policy%2C%20or%20proxying.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/37753) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
