mirror of https://github.com/apache/superset.git
[api] enable CSRF by default (#9205)
* [api] Fix, don't exempt CSRF on APIs * adds cookie based CSRF token support * blacking Co-authored-by: ʈᵃᵢ <tdupreetan@gmail.com>
This commit is contained in:
parent
28c05b22e8
commit
26e916e46b
|
@ -0,0 +1,41 @@
|
|||
/**
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
import parseCookie from 'src/utils/parseCookie';
|
||||
|
||||
describe('parseCookie', () => {
|
||||
let cookieVal = '';
|
||||
Object.defineProperty(document, 'cookie', {
|
||||
get: jest.fn().mockImplementation(() => {
|
||||
return cookieVal;
|
||||
}),
|
||||
});
|
||||
it('parses cookie strings', () => {
|
||||
cookieVal = 'val1=foo; val2=bar';
|
||||
expect(parseCookie()).toEqual({ val1: 'foo', val2: 'bar' });
|
||||
});
|
||||
|
||||
it('parses empty cookie strings', () => {
|
||||
cookieVal = '';
|
||||
expect(parseCookie()).toEqual({});
|
||||
});
|
||||
|
||||
it('accepts an arg', () => {
|
||||
expect(parseCookie('val=foo')).toEqual({ val: 'foo' });
|
||||
});
|
||||
});
|
|
@ -18,15 +18,19 @@
|
|||
*/
|
||||
/* eslint no-console: 0 */
|
||||
import { SupersetClient } from '@superset-ui/connection';
|
||||
import parseCookie from 'src/utils/parseCookie';
|
||||
|
||||
export default function setupClient() {
|
||||
const csrfNode = document.querySelector('#csrf_token');
|
||||
const csrfToken = csrfNode ? csrfNode.value : null;
|
||||
|
||||
// when using flask-jwt-extended csrf is set in cookies
|
||||
const cookieCSRFToken = parseCookie().csrf_access_token || '';
|
||||
|
||||
SupersetClient.configure({
|
||||
protocol: (window.location && window.location.protocol) || '',
|
||||
host: (window.location && window.location.host) || '',
|
||||
csrfToken,
|
||||
csrfToken: csrfToken || cookieCSRFToken,
|
||||
})
|
||||
.init()
|
||||
.catch(error => {
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
/**
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
|
||||
type CookieMap = { [cookieId: string]: string };
|
||||
|
||||
export default function parseCookie(cookie = document.cookie): CookieMap {
|
||||
return Object.fromEntries(
|
||||
cookie
|
||||
.split('; ')
|
||||
.filter(x => x)
|
||||
.map(x => x.split('=')),
|
||||
);
|
||||
}
|
|
@ -63,6 +63,7 @@ class BaseSupersetModelRestApi(ModelRestApi):
|
|||
Extends FAB's ModelResApi to implement specific superset generic functionality
|
||||
"""
|
||||
|
||||
csrf_exempt = False
|
||||
method_permission_name = {
|
||||
"get_list": "list",
|
||||
"get": "show",
|
||||
|
|
Loading…
Reference in New Issue