Alejandroid17 commented on issue #37930: URL: https://github.com/apache/superset/issues/37930#issuecomment-3891746878
> ### Bug description > Related: [#16398](https://github.com/apache/superset/issues/16398) > > # Expected results > POST /api/v1/database endpoint should work because it's in the documentation. > > # Actual results > Using a script: > > ``` > The CSRF token is missing > ``` > > # Steps/script > When I try to do it from a script, some endpoints don't work, but it works from Postman. > > Superset version: 4.1.0 > > Script: > > with requests.Session() as session: > # ---- LOGIN ---- > url = urllib.parse.urljoin(self.base_url, '/api/v1/security/login') > payload = { > "username": self.username, > "password": self.password, > "provider": "db", > "refresh": True, > } > > response = session.post(url, json=payload) > response.raise_for_status() > > access_token = response.json()["access_token"] > > # ---- AUTH HEADER ---- > session.headers.update( > { > "Authorization": f"Bearer {access_token}", > } > ) > > # ---- CSRF ---- > csrf_url = urllib.parse.urljoin(self.base_url, '/api/v1/security/csrf_token/') > csrf_res = session.get(csrf_url) > csrf_res.raise_for_status() > > csrf_token = csrf_res.json()["result"] > > session.headers.update({"X-CSRFToken": csrf_token}) > > print("Cookies:", session.cookies.get_dict()) > print("CSRF:", session.headers.get("X-CSRFToken")) > > # Users - OK > url = urllib.parse.urljoin(self.base_url, '/api/v1/security/users') > users_res = session.get(url) > users_res.raise_for_status() > print("Users:", users_res.json()) > > # Databse - FAIL -> Missing CSRF token > url = urllib.parse.urljoin(self.base_url, '/api/v1/database/') > res = session.post(url, json=data) > res.raise_for_status() > Output: > > Cookies: {'session': '63-FMavKIPpx1yPVLucJ......DZ1OLxA-KLDpXHnqo'} > JWT: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI......LA4XQR7rANbqiY > CSRF: IjUyNmY3NTFjODkyZmIxY2JmZmY5MTllNTA3YTcyYjFkYTczODg3NmIi.aY3Pjw.x4vEM5JM92cdFKod8RH6QY1Jm_U > Users: {'count': 2, 'description_columns': {}, ..... > Trace: > > superset_app | During handling of the above exception, another exception occurred: > superset_app | > superset_app | Traceback (most recent call last): > superset_app | File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1482, in full_dispatch_request > superset_app | rv = self.preprocess_request() > superset_app | File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1974, in preprocess_request > superset_app | rv = self.ensure_sync(before_func)() > superset_app | File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 229, in csrf_protect > superset_app | self.protect() > superset_app | File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 264, in protect > superset_app | self._error_response(e.args[0]) > superset_app | File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 307, in _error_response > superset_app | raise CSRFError(reason) > superset_app | flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF session token is missing. > Perhaps, related settings: > > WTF_CSRF_ENABLED = True > > WTF_CSRF_EXEMPT_LIST = [ > "superset.views.core.log", > "superset.views.core.explore_json", > "superset.charts.data.api.data", > "superset.dashboards.api.cache_dashboard_screenshot", > ] > Postman (The bd already exists, but the call is correct.) > > <img alt="Image" width="1083" height="903" src="https://private-user-images.githubusercontent.com/17381133/548843399-dba264f0-7b49-4759-b014-6e008c4e75c0.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NzA5MTE0NjMsIm5iZiI6MTc3MDkxMTE2MywicGF0aCI6Ii8xNzM4MTEzMy81NDg4NDMzOTktZGJhMjY0ZjAtN2I0OS00NzU5LWIwMTQtNmUwMDhjNGU3NWMwLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNjAyMTIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjYwMjEyVDE1NDYwM1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTlkMmUzNjc2OWRkMjdiZjBmMDk0ZDYxZWZhZGQzMThkNzM1NGUwNTRiNDkzZjM5MDhiNTlmYjBiMGU4YzBhZTgmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.1DO4Gj8rsNuT1S51vu0C2RDlmT6m1Rvr9hIA7KUt-Xw";> > ### Screenshots/recordings > _No response_ > > ### Superset version > 5.0.0 > > ### Python version > 3.10 > > ### Node version > 18 or greater > > ### Browser > Not applicable > > ### Additional context > _No response_ > > ### Checklist > * [ ] I have searched Superset docs and Slack and didn't find a solution to my problem.[x] I have searched the GitHub issue tracker and didn't find a similar bug report.[ ] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section. I solved it with this line. ```python session.headers.update({"Cookie": f"session={session.cookies.get('session')}"}) ``` ```python with requests.Session() as session: # ---- LOGIN ---- url = urllib.parse.urljoin(self.base_url, '/api/v1/security/login') payload = { "username": self.username, "password": self.password, "provider": "db", "refresh": True, } response = session.post(url, json=payload) response.raise_for_status() access_token = response.json()["access_token"] # ---- AUTH HEADER ---- session.headers.update( { "Authorization": f"Bearer {access_token}", } ) # ---- CSRF ---- csrf_url = urllib.parse.urljoin(self.base_url, '/api/v1/security/csrf_token/') csrf_res = session.get(csrf_url) csrf_res.raise_for_status() csrf_token = csrf_res.json()["result"] session.headers.update({"X-CSRFToken": csrf_token}) session.headers.update({"Cookie": f"session={session.cookies.get('session')}"}) <-------------- HERE!!! print("Cookies:", session.cookies.get_dict()) print("CSRF:", session.headers.get("X-CSRFToken")) # Users - OK url = urllib.parse.urljoin(self.base_url, '/api/v1/security/users') users_res = session.get(url) users_res.raise_for_status() print("Users:", users_res.json()) # Databse - Ok url = urllib.parse.urljoin(self.base_url, '/api/v1/database/') res = session.post(url, json=data) res.raise_for_status() ``` Thxs :D -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
![https://private-user-images.githubusercontent.com/17381133/548843399-dba264f0-7b49-4759-b014-6e008c4e75c0.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NzA5MTE0NjMsIm5iZiI6MTc3MDkxMTE2MywicGF0aCI6Ii8xNzM4MTEzMy81NDg4NDMzOTktZGJhMjY0ZjAtN2I0OS00NzU5LWIwMTQtNmUwMDhjNGU3NWMwLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNjAyMTIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjYwMjEyVDE1NDYwM1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTlkMmUzNjc2OWRkMjdiZjBmMDk0ZDYxZWZhZGQzMThkNzM1NGUwNTRiNDkzZjM5MDhiNTlmYjBiMGU4YzBhZTgmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.1DO4Gj8rsNuT1S51vu0C2RDlmT6m1Rvr9hIA7KUt-Xw"](https://private-user-images.githubusercontent.com/17381133/548843399-dba264f0-7b49-4759-b014-6e008c4e75c0.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NzA5MTE0NjMsIm5iZiI6MTc3MDkxMTE2MywicGF0aCI6Ii8xNzM4MTEzMy81NDg4NDMzOTktZGJhMjY0ZjAtN2I0OS00NzU5LWIwMTQtNmUwMDhjNGU3NWMwLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNjAyMTIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjYwMjEyVDE1NDYwM1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTlkMmUzNjc2OWRkMjdiZjBmMDk0ZDYxZWZhZGQzMThkNzM1NGUwNTRiNDkzZjM5MDhiNTlmYjBiMGU4YzBhZTgmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.1DO4Gj8rsNuT1S51vu0C2RDlmT6m1Rvr9hIA7KUt-Xw"){kind=link}