mirror of https://github.com/apache/superset.git
fix(async-queries): make global async. queries cookie SameSite option configurable (#21185)
Co-authored-by: Ville Brofeldt <ville.brofeldt@apple.com>
This commit is contained in:
parent
eb66590b6a
commit
80b31130b4
|
@ -1325,6 +1325,7 @@ The following configuration settings are available for async queries (see config
|
|||
- `GLOBAL_ASYNC_QUERIES_REDIS_STREAM_LIMIT_FIREHOSE` - the maximum number of events for all users (FIFO eviction)
|
||||
- `GLOBAL_ASYNC_QUERIES_JWT_COOKIE_NAME` - the async query feature uses a [JWT](https://tools.ietf.org/html/rfc7519) cookie for authentication, this setting is the cookie's name
|
||||
- `GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SECURE` - JWT cookie secure option
|
||||
- `GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SAMESITE` - JWT cookie same site option
|
||||
- `GLOBAL_ASYNC_QUERIES_JWT_COOKIE_DOMAIN` - JWT cookie domain option ([see docs for set_cookie](https://tedboy.github.io/flask/interface_api.response_object.html#flask.Response.set_cookie))
|
||||
- `GLOBAL_ASYNC_QUERIES_JWT_SECRET` - JWT's use a secret key to sign and validate the contents. This value should be at least 32 bytes and have sufficient randomness for proper security
|
||||
- `GLOBAL_ASYNC_QUERIES_TRANSPORT` - available options: "polling" (HTTP, default), "ws" (WebSocket, requires running superset-websocket server)
|
||||
|
|
|
@ -1383,7 +1383,7 @@ RLS_BASE_RELATED_FIELD_FILTERS: Dict[str, BaseFilter] = {}
|
|||
#
|
||||
SESSION_COOKIE_HTTPONLY = True # Prevent cookie from being read by frontend JS?
|
||||
SESSION_COOKIE_SECURE = False # Prevent cookie from being transmitted over non-tls?
|
||||
SESSION_COOKIE_SAMESITE = "Lax" # One of [None, 'None', 'Lax', 'Strict']
|
||||
SESSION_COOKIE_SAMESITE: Optional[Literal["None", "Lax", "Strict"]] = "Lax"
|
||||
|
||||
# Cache static resources.
|
||||
SEND_FILE_MAX_AGE_DEFAULT = int(timedelta(days=365).total_seconds())
|
||||
|
@ -1431,6 +1431,9 @@ GLOBAL_ASYNC_QUERIES_REDIS_STREAM_LIMIT = 1000
|
|||
GLOBAL_ASYNC_QUERIES_REDIS_STREAM_LIMIT_FIREHOSE = 1000000
|
||||
GLOBAL_ASYNC_QUERIES_JWT_COOKIE_NAME = "async-token"
|
||||
GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SECURE = False
|
||||
GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SAMESITE: Optional[
|
||||
Literal["None", "Lax", "Strict"]
|
||||
] = None
|
||||
GLOBAL_ASYNC_QUERIES_JWT_COOKIE_DOMAIN = None
|
||||
GLOBAL_ASYNC_QUERIES_JWT_SECRET = "test-secret-change-me"
|
||||
GLOBAL_ASYNC_QUERIES_TRANSPORT = "polling"
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
import json
|
||||
import logging
|
||||
import uuid
|
||||
from typing import Any, Dict, List, Optional, Tuple
|
||||
from typing import Any, Dict, List, Literal, Optional, Tuple
|
||||
|
||||
import jwt
|
||||
import redis
|
||||
|
@ -80,6 +80,7 @@ class AsyncQueryManager:
|
|||
self._jwt_cookie_name: str = ""
|
||||
self._jwt_cookie_secure: bool = False
|
||||
self._jwt_cookie_domain: Optional[str]
|
||||
self._jwt_cookie_samesite: Optional[Literal["None", "Lax", "Strict"]] = None
|
||||
self._jwt_secret: str
|
||||
|
||||
def init_app(self, app: Flask) -> None:
|
||||
|
@ -110,6 +111,7 @@ class AsyncQueryManager:
|
|||
]
|
||||
self._jwt_cookie_name = config["GLOBAL_ASYNC_QUERIES_JWT_COOKIE_NAME"]
|
||||
self._jwt_cookie_secure = config["GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SECURE"]
|
||||
self._jwt_cookie_samesite = config["GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SAMESITE"]
|
||||
self._jwt_cookie_domain = config["GLOBAL_ASYNC_QUERIES_JWT_COOKIE_DOMAIN"]
|
||||
self._jwt_secret = config["GLOBAL_ASYNC_QUERIES_JWT_SECRET"]
|
||||
|
||||
|
@ -142,6 +144,7 @@ class AsyncQueryManager:
|
|||
httponly=True,
|
||||
secure=self._jwt_cookie_secure,
|
||||
domain=self._jwt_cookie_domain,
|
||||
samesite=self._jwt_cookie_samesite,
|
||||
)
|
||||
|
||||
return response
|
||||
|
|
Loading…
Reference in New Issue