mirror of https://github.com/apache/superset.git
[api] enable CSRF by default (#9205)
* [api] Fix, don't exempt CSRF on APIs * adds cookie based CSRF token support * blacking Co-authored-by: ʈᵃᵢ <tdupreetan@gmail.com>
This commit is contained in:
parent
28c05b22e8
commit
26e916e46b
|
@ -0,0 +1,41 @@
|
||||||
|
/**
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one
|
||||||
|
* or more contributor license agreements. See the NOTICE file
|
||||||
|
* distributed with this work for additional information
|
||||||
|
* regarding copyright ownership. The ASF licenses this file
|
||||||
|
* to you under the Apache License, Version 2.0 (the
|
||||||
|
* "License"); you may not use this file except in compliance
|
||||||
|
* with the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing,
|
||||||
|
* software distributed under the License is distributed on an
|
||||||
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
* KIND, either express or implied. See the License for the
|
||||||
|
* specific language governing permissions and limitations
|
||||||
|
* under the License.
|
||||||
|
*/
|
||||||
|
import parseCookie from 'src/utils/parseCookie';
|
||||||
|
|
||||||
|
describe('parseCookie', () => {
|
||||||
|
let cookieVal = '';
|
||||||
|
Object.defineProperty(document, 'cookie', {
|
||||||
|
get: jest.fn().mockImplementation(() => {
|
||||||
|
return cookieVal;
|
||||||
|
}),
|
||||||
|
});
|
||||||
|
it('parses cookie strings', () => {
|
||||||
|
cookieVal = 'val1=foo; val2=bar';
|
||||||
|
expect(parseCookie()).toEqual({ val1: 'foo', val2: 'bar' });
|
||||||
|
});
|
||||||
|
|
||||||
|
it('parses empty cookie strings', () => {
|
||||||
|
cookieVal = '';
|
||||||
|
expect(parseCookie()).toEqual({});
|
||||||
|
});
|
||||||
|
|
||||||
|
it('accepts an arg', () => {
|
||||||
|
expect(parseCookie('val=foo')).toEqual({ val: 'foo' });
|
||||||
|
});
|
||||||
|
});
|
|
@ -18,15 +18,19 @@
|
||||||
*/
|
*/
|
||||||
/* eslint no-console: 0 */
|
/* eslint no-console: 0 */
|
||||||
import { SupersetClient } from '@superset-ui/connection';
|
import { SupersetClient } from '@superset-ui/connection';
|
||||||
|
import parseCookie from 'src/utils/parseCookie';
|
||||||
|
|
||||||
export default function setupClient() {
|
export default function setupClient() {
|
||||||
const csrfNode = document.querySelector('#csrf_token');
|
const csrfNode = document.querySelector('#csrf_token');
|
||||||
const csrfToken = csrfNode ? csrfNode.value : null;
|
const csrfToken = csrfNode ? csrfNode.value : null;
|
||||||
|
|
||||||
|
// when using flask-jwt-extended csrf is set in cookies
|
||||||
|
const cookieCSRFToken = parseCookie().csrf_access_token || '';
|
||||||
|
|
||||||
SupersetClient.configure({
|
SupersetClient.configure({
|
||||||
protocol: (window.location && window.location.protocol) || '',
|
protocol: (window.location && window.location.protocol) || '',
|
||||||
host: (window.location && window.location.host) || '',
|
host: (window.location && window.location.host) || '',
|
||||||
csrfToken,
|
csrfToken: csrfToken || cookieCSRFToken,
|
||||||
})
|
})
|
||||||
.init()
|
.init()
|
||||||
.catch(error => {
|
.catch(error => {
|
||||||
|
|
|
@ -0,0 +1,29 @@
|
||||||
|
/**
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one
|
||||||
|
* or more contributor license agreements. See the NOTICE file
|
||||||
|
* distributed with this work for additional information
|
||||||
|
* regarding copyright ownership. The ASF licenses this file
|
||||||
|
* to you under the Apache License, Version 2.0 (the
|
||||||
|
* "License"); you may not use this file except in compliance
|
||||||
|
* with the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing,
|
||||||
|
* software distributed under the License is distributed on an
|
||||||
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
* KIND, either express or implied. See the License for the
|
||||||
|
* specific language governing permissions and limitations
|
||||||
|
* under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
type CookieMap = { [cookieId: string]: string };
|
||||||
|
|
||||||
|
export default function parseCookie(cookie = document.cookie): CookieMap {
|
||||||
|
return Object.fromEntries(
|
||||||
|
cookie
|
||||||
|
.split('; ')
|
||||||
|
.filter(x => x)
|
||||||
|
.map(x => x.split('=')),
|
||||||
|
);
|
||||||
|
}
|
|
@ -63,6 +63,7 @@ class BaseSupersetModelRestApi(ModelRestApi):
|
||||||
Extends FAB's ModelResApi to implement specific superset generic functionality
|
Extends FAB's ModelResApi to implement specific superset generic functionality
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
csrf_exempt = False
|
||||||
method_permission_name = {
|
method_permission_name = {
|
||||||
"get_list": "list",
|
"get_list": "list",
|
||||||
"get": "show",
|
"get": "show",
|
||||||
|
|
Loading…
Reference in New Issue