Error logs full of "CSRF token missing" on POST /superset/log

[Ralkion]

Bug description

Our error logs are full of the following error:

2024-10-25 15:38:51,223:INFO:flask_wtf.csrf:The CSRF token is missing.
Refresh CSRF token error
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 261, in protect
    validate_csrf(self._get_csrf_token())
  File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 100, in validate_csrf
    raise ValidationError("The CSRF token is missing.")
wtforms.validators.ValidationError: The CSRF token is missing.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1821, in full_dispatch_request
    rv = self.preprocess_request()
  File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2313, in preprocess_request
    rv = self.ensure_sync(before_func)()
  File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 229, in csrf_protect
    self.protect()
  File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 264, in protect
    self._error_response(e.args[0])
  File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 307, in _error_response
    raise CSRFError(reason)
flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF token is missing.
2024-10-25 15:38:51,223:WARNING:superset.views.base:Refresh CSRF token error
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 261, in protect
    validate_csrf(self._get_csrf_token())
  File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 100, in validate_csrf
    raise ValidationError("The CSRF token is missing.")
wtforms.validators.ValidationError: The CSRF token is missing.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1821, in full_dispatch_request
    rv = self.preprocess_request()
  File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2313, in preprocess_request
    rv = self.ensure_sync(before_func)()
  File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 229, in csrf_protect
    self.protect()
  File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 264, in protect
    self._error_response(e.args[0])
  File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 307, in _error_response
    raise CSRFError(reason)
flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF token is missing.
18.68.40.55 - - [25/Oct/2024:15:38:51 +0000] "POST /superset/log/?explode=events&dashboard_id=65 HTTP/1.1" 302 201 "https://<site>/chart/list/?pageIndex=0&sortColumn=changed_on_delta_humanized&sortOrder=desc&viewMode=table" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0"

As you can see from the last line, the POST /superset/log is returning a 302 which as it turns out redirects to /login.

Proper execution should result in the POST returning a 200.

This happens constantly as users navigate the UI.

Screenshots/recordings

No response

Superset version

4.0.2

Python version

3.9

Node version

16

Browser

Chrome

Additional context

No response

Checklist

• I have searched Superset docs and Slack and didn't find a solution to my problem.
• I have searched the GitHub issue tracker and didn't find a similar bug report.
• I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[dosubot]

Hey @Ralkion! I'm here to help you with any bugs, questions, or contributions. Let's tackle this together! 🤖

There are similar issues and discussions related to the "CSRF token missing" error in Apache Superset. Here are a few relevant ones:

1. Closed Issue: Superset CSRF Token missing error - The suggested solution is to set TALISMAN_ENABLED to False in the configuration. This can be done by adding TALISMAN_ENABLED: "False" to extraEnv in values.yaml for the helm chart, or by setting TALISMAN_ENABLED = False in superset/config.py ^[1].

2. Closed Issue: Error The CSRF session token is missing when embedding Superset in an iframe - A solution that worked for some users was setting SESSION_COOKIE_SAMESITE = None in the superset/config.py file ^[2].

3. Closed Issue: Getting CSRF token issue while loading Superset using docker-compose - The issue was resolved by updating the yml file to provide a stable Superset container image version 2.1 ^[3].

To resolve the "CSRF token missing" error when making a POST request to /superset/log, ensure that the CSRF token is included in your request headers. You can use the SupersetClientClass to handle CSRF tokens by fetching them and including them in the headers for requests. Make sure to initialize the client and call getCSRFToken() before making any POST requests ^[4][5].

To continue talking to Dosu, mention @dosu.

[Ralkion]

Issue was a misconfiguration on the server. The POST /superset/log endpoint is naturally exempted from the CSRF requirements via the WTF_CSRF_EXEMPT_LIST. In our configuration the list was made empty, and thus the endpoint reported errors.