richardfogaca opened a new pull request, #41004: URL: https://github.com/apache/superset/pull/41004
<!--- Please write the PR title following the conventions at https://www.conventionalcommits.org/en/v1.0.0/ Example: fix(dashboard): load charts correctly --> ### SUMMARY Fixes embedded dashboard high-row-count CSV exports for guest-token sessions. Before this change, the streaming CSV export path always tried to fetch a session CSRF token before building the native `fetch` POST. Embedded guest sessions do not rely on a logged-in Superset session cookie, so the export could fail before the chart data export request had the guest auth material it needed. Guest token transport for streaming chart exports already exists (#40712), but the request construction still awaited the session CSRF fetch first, and embedded guest sessions cannot read `/api/v1/security/csrf_token/` — the export failed before the POST was ever sent. The export endpoints are CSRF-exempt and authenticate guests via the `guest_token` form field, so the CSRF bootstrap is unnecessary on this path. This updates streaming export request construction to: - skip the session CSRF fetch only for guest-token chart exports; - preserve the existing CSRF header path for logged-in non-guest exports and SQL Lab exports. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF N/A - no visual layout changes. The visible behavior change is covered by the live browser validation below: the CSV Export modal reaches `Export successful` in an embedded guest session instead of failing. ### TESTING INSTRUCTIONS - Live browser validation in a local Docker Compose Superset runtime: opened an embedded dashboard host page in a fresh logged-out browser context, sent a fresh guest token, and exported a table chart configured with `row_limit=100000`; observed the CSV Export modal reach `Export successful`, the export `POST /api/v1/chart/data` include `guest_token` and `expected_rows=100000`, no CSRF token request during the guest export, and a downloaded CSV with 100000 data rows plus header. - Live browser validation in the same local Docker Compose Superset runtime: repeated the export from a normal logged-in dashboard page for the same chart; observed the CSRF token request, `X-CSRFToken` on the export POST, no `guest_token` form field, `200 OK`, and the CSV download with 100000 data rows plus header. - Focused regression test: `cd superset-frontend && npm run test -- src/components/StreamingExportModal/useStreamingExport.test.ts --testNamePattern "guest-token chart exports|non-guest chart exports|SQL Lab exports" --silent=false` ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [x] Changes UI - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [ ] Migration is atomic, supports rollback & is backwards-compatible - [ ] Confirm DB migration upgrade and downgrade tested - [ ] Runtime estimates and downtime expectations provided - [ ] Introduces new feature or API - [ ] Removes existing feature or API -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
