CSRF issue while importing dashboard in superset through nodejs API

Question

I am facing flask_wtf.csrf:The CSRF session token is missing. while trying to import dashboard (with VERSIONED_EXPORT enabled) via a NodeJS POST API call. Below is the same setup that works for all my other superset API calls:

const config = {
  headers: {
    'X-CSRFToken': await this.getCsrfToken(),
    'Authorization': `Bearer ${await this.getAccessToken()}`
  }
}
axios.get<T>(url, config) //or
axios.post<T>(url, data, config)

For the import dashboard API call, I am using form-data and it works if I add dashboard import to WTF_CSRF_EXEMPT_LIST, but I want to avoid doing that but it can't work with all of these approaches I tried:

const formData = new FormData()

// With X-CSRFToken (shown above)
formData.append('formData', fs.createReadStream(filePath))

// With X-CSRFToken & defined file name & length
var stat = fs.statSync(filePath);
formData.append('formData', fs.createReadStream(filePath), {filename: fileName, knownLength: stat.size})

// With X-CSRFToken and/or Referral and/or Content-Type and/or Content-Length
var stat = fs.statSync(filePath);
formData.append('formData', fs.createReadStream(filePath), {filename: fileName, knownLength: stat.size})

const contentLength = formData.getLengthSync()
const config = {
  headers: {
    'X-CSRFToken': await this.getCsrfToken(),
    'Authorization': `Bearer ${await this.getAccessToken()}`
    'Referrer': url,
    'Content-Type': 'multipart/form-data',
    'Content-Length': contentLength
  }
}

// With X-XSRF-TOKEN
const config = {
  headers: {
    'X-XSRF-TOKEN': await this.getCsrfToken(),
    'Authorization': `Bearer ${await this.getAccessToken()}`
  }
}
formData.append('formData', fs.createReadStream(filePath))



await post(url, formData, config)

I suspect it could be caused by form-data which can't handle csrf token headers as I am able to import dashboard on Postman:

Headers: {
  Authorization: 'Bearer {token}',
  X-CSRFToken: {csrfToken}
}
form-data: {
  formData: {uploadedFile}
}

I am open to suggestions on how I can import dashboard without using form-data in node

Hi! We faced the same problem. Have you got any solution after two month? — xneg, Mar 30 '22 at 07:37

score 2 · Accepted Answer · answered Apr 04 '22 at 07:25

2

This is common problem with csrf token. See related post.

In superset case you need to get not only csrf token but also session cookie. Session cookie looks like this

session=eyJjc3JmX3Rva2VuIjoiMGYwMzRiNzgyMzIyMDgwNTM5M2Y4YzdjODYyZmIzZGMyMGJlYjAwZiJ9.Ykb6sQ.PSJYvZBxYK7nEMzK3smE4WUSVEY;

You need to add this session info to Cookie header of your client and it will work.

answered Apr 04 '22 at 07:25

xneg

1,204
15
24

thanks for sharing the need to include the `Cookie` header. I managed to get this up by passing the cookie gotten together with the csrf token to get through the POST APIs with the csrf not exempted – Moon Is Cool Apr 06 '22 at 09:04
Yes, this is exactly what you need! – xneg Apr 06 '22 at 11:00
Solution worked great, but how will I be able to get session cookie via API? – RRR Mar 14 '23 at 06:36
@RRR as far as I remember after successful login you got a session cookie in any response from the server. – xneg Mar 14 '23 at 12:33

CSRF issue while importing dashboard in superset through nodejs API

1 Answers1