GitHub user dosubot[bot] added a comment to the discussion: API returns empty dashboards/charts (count:0) after successful login on Superset 4.1.2
<!-- Answer --> Thanks for following up. This appears to be a [known bug in Superset 4.1.x where Bearer token authentication returns empty results](https://github.com/apache/superset/issues/25285#issuecomment-2042031772) even when permissions are correct. **First, verify your session cookie is being set properly:** ```python # After calling CSRF endpoint, check if cookies are set: print("Cookies:", self.session.cookies.get_dict()) ``` If the session cookie is present but you still get empty results, there are two workarounds: **Option 1: Check Public role permissions** Go to Settings → List Roles → Public and ensure it does NOT have `can read on Dashboard` or `can read on Chart` permissions. These can [interfere with Bearer token authentication](https://github.com/apache/superset/issues/25285#issuecomment-2042031772). **Option 2: Use browser session cookie (most reliable)** Since [session cookies from browser login work correctly](https://github.com/apache/superset/discussions/33585#discussioncomment-13278652), you can use this approach: 1. Log in to Superset via browser 2. Open Developer Tools → Application → Cookies 3. Copy the `session` cookie value 4. Use it in your code: ```python def get_all_dashboards_with_session_cookie(self, session_cookie): url = self.base_url + '/dashboard/' headers = { "Cookie": f"session={session_cookie}" } # Note: Don't use self.session here, use requests.get directly resp = requests.get(url, headers=headers, verify=False) print("response status:", resp.status_code) print("response data:", resp.text) ``` This bypasses the Bearer token authentication path entirely and should return your dashboards. **Also try running:** `superset init` to re-sync all roles and permissions. Can you try the browser session cookie approach to confirm your dashboards are accessible via API at all? That will help confirm whether this is an authentication path issue or a permissions issue. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot?utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=brand-link).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/f520ec52-f0b0-4d50-bec5-85fca4209493?feedback_type=great_response&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/f520ec52-f0b0-4d50-bec5-85fca4209493?feedback_type=irrelevant_answer&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/f520ec52-f0b0-4d50-bec5-85fca4209493?feedback_type=incorrect_sources&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/f520ec52-f0b0-4d50-bec5-85fca4209493?feedback_type=too_verbose&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/f520ec52-f0b0-4d 50-bec5-85fca4209493?feedback_type=hallucination&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/f520ec52-f0b0-4d50-bec5-85fca4209493?feedback_type=bug_report&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-bug_report) | [Other](https://app.dosu.dev/response-feedback/f520ec52-f0b0-4d50-bec5-85fca4209493?feedback_type=other&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=chat-badge) [](https://cursor.com/link/prompt?text=Thanks%20for%20following%20up.%20This%20appears%20to%20be%20a%20%5Bknown%20bug%20in%20Superset%204.1.x%20where%20Bearer%20token%20authentication%20returns%20empty%20results%5D%28https%3A//github.com/apache/superset/issues/25285%23issuecomment-2042031772%29%20even%20when%20permissions%20are%20correct.%0A%0A%2A%2AFirst%2C%20verify%20your%20session%20cookie%20is%20being%20set%20properly%3A%2A%2A%0A%60%60%60python%0A%23%20After%20calling%20CSRF%20endpoint%2C%20check%20if%20cookies%20are%20set%3A%0Aprint%28%22Cookies%3A%22%2C%20self.session.cookies.get_dict%28%29%29%0A%60%60%60%0A%0AIf%20the%20session%20cookie%20is%20present%20but%20you%20still%20get%20empty%20results%2C%20there%20 are%20two%20workarounds%3A%0A%0A%2A%2AOption%201%3A%20Check%20Public%20role%20permissions%2A%2A%0A%0AGo%20to%20Settings%20%E2%86%92%20List%20Roles%20%E2%86%92%20Public%20and%20ensure%20it%20does%20NOT%20have%20%60can%20read%20on%20Dashboard%60%20or%20%60can%20read%20on%20Chart%60%20permissions.%20These%20can%20%5Binterfere%20with%20Bearer%20token%20authentication%5D%28https%3A//github.com/apache/superset/issues/25285%23issuecomment-2042031772%29.%0A%0A%2A%2AOption%202%3A%20Use%20browser%20session%20cookie%20%28most%20reliable%29%2A%2A%0A%0ASince%20%5Bsession%20cookies%20from%20browser%20login%20work%20correctly%5D%28https%3A//github.com/apache/superset/discussions/33585%23discussioncomment-13278652%29%2C%20you%20can%20use%20this%20approach%3A%0A%0A1.%20Log%20in%20to%20Superset%20via%20browser%0A2.%20Open%20Developer%20Tools%20%E2%86%92%20Application%20%E2%86%92%20Cookies%0A3.%20Copy%20the%20%60session%60%20cookie%20value%0A4.%20Use%20it%20in%20your%20code%3A%0A%0A%60%60%60python%0Ad ef%20get_all_dashboards_with_session_cookie%28self%2C%20session_cookie%29%3A%0A%20%20%20%20url%20%3D%20self.base_url%20%2B%20%27/dashboard/%27%0A%20%20%20%20headers%20%3D%20%7B%0A%20%20%20%20%20%20%20%20%22Cookie%22%3A%20f%22session%3D%7Bsession_cookie%7D%22%0A%20%20%20%20%7D%0A%20%20%20%20%23%20Note%3A%20Don%27t%20use%20self.session%20here%2C%20use%20requests.get%20directly%0A%20%20%20%20resp%20%3D%20requests.get%28url%2C%20headers%3Dheaders%2C%20verify%3DFalse%29%0A%20%20%20%20print%28%22response%20status%3A%22%2C%20resp.status_code%29%0A%20%20%20%20print%28%22response%20data%3A%22%2C%20resp.text%29%0A%60%60%60%0A%0AThis%20bypasses%20the%20Bearer%20token%20authentication%20path%20entirely%20and%20should%20return%20your%20dashboards.%0A%0A%2A%2AAlso%20try%20running%3A%2A%2A%20%60superset%20init%60%20to%20re-sync%20all%20roles%20and%20permissions.%0A%0ACan%20you%20try%20the%20browser%20session%20cookie%20approach%20to%20confirm%20your%20dashboards%20are%20accessible%20via%20API%20at %20all%3F%20That%20will%20help%20confirm%20whether%20this%20is%20an%20authentication%20path%20issue%20or%20a%20permissions%20issue.) [](https://go.dosu.dev/discord-bot?utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=join-discord) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/38814) GitHub link: https://github.com/apache/superset/discussions/38814#discussioncomment-16287077 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
