[I] Unable to use create database via API: The CSRF token is missing. [superset]

[via GitHub]

Alejandroid17 opened a new issue, #37930:
URL: https://github.com/apache/superset/issues/37930

   ### Bug description
   
   Related: #16398
   
   # Expected results
   POST /api/v1/database endpoint should work because it's in the documentation.
   
   # Actual results
   Using a script:
   ```
   The CSRF token is missing
   ```
   
   # Steps/script
   When I try to do it from a script, some endpoints don't work, but it works 
from Postman.
   
   Superset version: 4.1.0
   
   Script:
   ```python
   with requests.Session() as session:
       # ---- LOGIN ----
       url = urllib.parse.urljoin(self.base_url, '/api/v1/security/login')
       payload = {
           "username": self.username,
           "password": self.password,
           "provider": "db",
           "refresh": True,
       }
   
       response = session.post(url, json=payload)
       response.raise_for_status()
   
       access_token = response.json()["access_token"]
   
       # ---- AUTH HEADER ----
       session.headers.update(
           {
               "Authorization": f"Bearer {access_token}",
           }
       )
   
       # ---- CSRF ----
       csrf_url = urllib.parse.urljoin(self.base_url, 
'/api/v1/security/csrf_token/')
       csrf_res = session.get(csrf_url)
       csrf_res.raise_for_status()
   
       csrf_token = csrf_res.json()["result"]
   
       session.headers.update({"X-CSRFToken": csrf_token})
   
       print("Cookies:", session.cookies.get_dict())
       print("CSRF:", session.headers.get("X-CSRFToken"))
   
       # Users - OK
       url = urllib.parse.urljoin(self.base_url, '/api/v1/security/users')
       users_res = session.get(url)
       users_res.raise_for_status()
       print("Users:", users_res.json())
   
       # Databse - FAIL -> Missing CSRF token
       url = urllib.parse.urljoin(self.base_url, '/api/v1/database/')
       res = session.post(url, json=data)
       res.raise_for_status()
   ```
   
   Output:
   ```bash
   Cookies: {'session': '63-FMavKIPpx1yPVLucJ......DZ1OLxA-KLDpXHnqo'}
   JWT: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI......LA4XQR7rANbqiY
   CSRF: 
IjUyNmY3NTFjODkyZmIxY2JmZmY5MTllNTA3YTcyYjFkYTczODg3NmIi.aY3Pjw.x4vEM5JM92cdFKod8RH6QY1Jm_U
   Users: {'count': 2, 'description_columns': {}, .....
   ```
   
   Trace:
   ```bash
   superset_app          | During handling of the above exception, another 
exception occurred:
   superset_app          | 
   superset_app          | Traceback (most recent call last):
   superset_app          |   File 
"/usr/local/lib/python3.10/site-packages/flask/app.py", line 1482, in 
full_dispatch_request
   superset_app          |     rv = self.preprocess_request()
   superset_app          |   File 
"/usr/local/lib/python3.10/site-packages/flask/app.py", line 1974, in 
preprocess_request
   superset_app          |     rv = self.ensure_sync(before_func)()
   superset_app          |   File 
"/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 229, in 
csrf_protect
   superset_app          |     self.protect()
   superset_app          |   File 
"/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 264, in 
protect
   superset_app          |     self._error_response(e.args[0])
   superset_app          |   File 
"/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 307, in 
_error_response
   superset_app          |     raise CSRFError(reason)
   superset_app          | flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF 
session token is missing.
   ```
   
   Perhaps, related settings:
   ```python
   WTF_CSRF_ENABLED = True
   
   WTF_CSRF_EXEMPT_LIST = [
       "superset.views.core.log",
       "superset.views.core.explore_json",
       "superset.charts.data.api.data",
       "superset.dashboards.api.cache_dashboard_screenshot",
   ]
   
    ```
   
   Postman (The bd already exists, but the call is correct.)
   
   <img width="1083" height="903" alt="Image" 
src="https://github.com/user-attachments/assets/dba264f0-7b49-4759-b014-6e008c4e75c0";
 />
   
   ### Screenshots/recordings
   
   _No response_
   
   ### Superset version
   
   5.0.0
   
   ### Python version
   
   3.10
   
   ### Node version
   
   18 or greater
   
   ### Browser
   
   Not applicable
   
   ### Additional context
   
   _No response_
   
   ### Checklist
   
   - [ ] I have searched Superset docs and Slack and didn't find a solution to 
my problem.
   - [ ] I have searched the GitHub issue tracker and didn't find a similar bug 
report.
   - [ ] I have checked Superset's logs for errors and if I found a relevant 
Python stacktrace, I included it here as text in the "additional context" 
section.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org