Calling /api/v1/chart/data returns 400 "The CSRF session token is missing"

[saward]

Hi,

I'm trying to use the API with JWT. I have been able to successfully use some other endpoints (e.g., getting a list of charts) using this token for authentication. However, the /api/v1/chart/data endpoint, which shows up in the Swagger UI, returns an error. For example, using httpie:

http -f POST "https://example.com/api/v1/chart/data" form_data="{\"adhoc_filters\": [], \"bar_stacked\": false, \"bottom_margin\": \"auto\", \"color_scheme\": \"bnbColors\", \"columns\": [], \"contribution\": false, \"datasource\": \"1__table\", \"granularity_sqla\": null, \"groupby\": [\"brand_name\"], \"label_colors\": {}, \"metrics\": [{\"aggregate\": \"SUM\", \"column\": {\"column_name\": \"count\", \"database_expression\": null, \"description\": null, \"expression\": \"\", \"filterable\": false, \"groupby\": false, \"id\": 1, \"is_dttm\": false, \"optionName\": \"_col_count\", \"python_date_format\": null, \"type\": \"BIGINT\", \"verbose_name\": null}, \"expressionType\": \"SIMPLE\", \"fromFormData\": false, \"hasCustomLabel\": false, \"label\": \"SUM(count)\", \"optionName\": \"metric_vvvpnkvzbgj_o6qcag8lo5\", \"sqlExpression\": null}], \"order_bars\": false, \"reduce_x_ticks\": false, \"row_limit\": 10000, \"show_bar_value\": true, \"show_controls\": false, \"show_legend\": true, \"slice_id\": 1, \"time_range\": \"No filter\", \"url_params\": {}, \"viz_type\": \"dist_bar\", \"x_axis_label\": \"Brand\", \"x_ticks_layout\": \"flat\", \"y_axis_format\": \",\", \"y_axis_label\": \"Total Clients\"}" 'Authorization: Bearer <my_jwt_token>'

I have the same issue when sending the data as "application/json" as well. Reading the Superset code, if I understand it right, I should be able to use either application/json or form submission with the form_data parameter.

Expected results

Receive a 200 reply with json body and data from search.

Actual results

400 received:

HTTP/1.1 400 BAD REQUEST
Connection: keep-alive
Content-Length: 150
Content-Type: text/html; charset=utf-8
Date: Fri, 17 Jul 2020 05:20:26 GMT
Server: nginx/1.15.2
Strict-Transport-Security: max-age=15724800; includeSubDomains

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>400 Bad Request</title>
<h1>Bad Request</h1>
<p>The CSRF session token is missing.</p>

How to reproduce the bug

1. Go to /swagger/v1
2. Click on '....'
3. Scroll down to '....'
4. See error

Environment

(please complete the following information):

• superset version: superset version

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Superset 0.999.0dev
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

I'm running the 'edge' tag for the unofficial docker image at https://hub.docker.com/r/amancevice/superset/

• python version: python --version

3.6.11

• node.js version: node -v

N/A

• npm version: npm -v

N/A

Checklist

Make sure these boxes are checked before submitting your issue - thank you!

• I have checked the superset logs for python stacktraces and included it here as text if there are any.
• I have reproduced the issue with at least the latest released version of superset.
• I have checked the issue tracker for the same issue and I haven't found one similar.

[issue-label-bot]

Issue Label Bot is not confident enough to auto-label this issue. See dashboard for more details.

[dpgaspar]

Hi @saward

Just merged a PR that will allow you to make request to chart/data without CSRF by default. So your curl will succeed with the latest master

[saward]

Looks good thanks, will test soon. Wasn't sure myself exactly how with flask to make it exempt.

[madhamanchiharsha]

Same issue, i am also facing like, when i try to make a post call to create dashboard response is 400 and says like The CSRF token is missing any help ?here

[villebro]

@madhamanchiharsha what version of Superset are you on?

[madhamanchiharsha]

0.38 is the version which i am using and also i am using it on my local @villebro

[madhamanchiharsha]

Hi @villebro any update on this issue

[madhamanchiharsha]

I have disabled csrf protection in config.py in superset like this ("WTF_CSRF_ENABLED = False") it is working now

[darthenik]

I have disabled csrf protection in config.py in superset like this ("WTF_CSRF_ENABLED = False") it is working now

Is it secure to do this?

[EuphoriaCelestial]

I have disabled csrf protection in config.py in superset like this ("WTF_CSRF_ENABLED = False") it is working now

Is it secure to do this?

disable csrf is never a recommended way to solve issue, only use if you are not going to deploy product