[api] enable CSRF by default (#9205)

* [api] Fix, don't exempt CSRF on APIs

* adds cookie based CSRF token support

* blacking

Co-authored-by: ʈᵃᵢ <tdupreetan@gmail.com>

superset-frontend/spec/javascripts/utils/parseCookie_spec.ts

@@ -0,0 +1,41 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import parseCookie from 'src/utils/parseCookie';
+
+describe('parseCookie', () => {
+  let cookieVal = '';
+  Object.defineProperty(document, 'cookie', {
+    get: jest.fn().mockImplementation(() => {
+      return cookieVal;
+    }),
+  });
+  it('parses cookie strings', () => {
+    cookieVal = 'val1=foo; val2=bar';
+    expect(parseCookie()).toEqual({ val1: 'foo', val2: 'bar' });
+  });
+
+  it('parses empty cookie strings', () => {
+    cookieVal = '';
+    expect(parseCookie()).toEqual({});
+  });
+
+  it('accepts an arg', () => {
+    expect(parseCookie('val=foo')).toEqual({ val: 'foo' });
+  });
+});

superset-frontend/src/setup/setupClient.js

@@ -18,15 +18,19 @@
  */
 /* eslint no-console: 0 */
 import { SupersetClient } from '@superset-ui/connection';
+import parseCookie from 'src/utils/parseCookie';
 
 export default function setupClient() {
   const csrfNode = document.querySelector('#csrf_token');
   const csrfToken = csrfNode ? csrfNode.value : null;
 
+  // when using flask-jwt-extended csrf is set in cookies
+  const cookieCSRFToken = parseCookie().csrf_access_token || '';
+
   SupersetClient.configure({
     protocol: (window.location && window.location.protocol) || '',
     host: (window.location && window.location.host) || '',
-    csrfToken,
+    csrfToken: csrfToken || cookieCSRFToken,
   })
     .init()
     .catch(error => {

superset-frontend/src/utils/parseCookie.ts

@@ -0,0 +1,29 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+type CookieMap = { [cookieId: string]: string };
+
+export default function parseCookie(cookie = document.cookie): CookieMap {
+  return Object.fromEntries(
+    cookie
+      .split('; ')
+      .filter(x => x)
+      .map(x => x.split('=')),
+  );
+}

superset/views/base_api.py

@@ -63,6 +63,7 @@ class BaseSupersetModelRestApi(ModelRestApi):
     Extends FAB's ModelResApi to implement specific superset generic functionality
     """
 
+    csrf_exempt = False
     method_permission_name = {
         "get_list": "list",
         "get": "show",