CSRF Missing for Cache Warm Up

[hanslemm]

Bug description

I have a Superset@4.1.1 running on K8s.

Whenever the Celery task to warm-up the cache of the top 10 dashboards run, I have the following error:

2024-12-04 07:02:46.455 | [2024-12-04 06:02:46,454: ERROR/ForkPoolWorker-4] fetch_url[b5da1f66-912f-4cdf-bffa-be47cef16dbe]: Error warming up cache! |  
-- | -- | --
  |   | 2024-12-04 07:02:46.454 | urllib.error.HTTPError: HTTP Error 400: Bad Request |  
  |   | 2024-12-04 07:02:46.454 | raise HTTPError(req.full_url, code, msg, hdrs, fp) |  
  |   | 2024-12-04 07:02:46.454 | File "/usr/local/lib/python3.10/urllib/request.py", line 643, in http_error_default |  
  |   | 2024-12-04 07:02:46.454 | File "/usr/local/lib/python3.10/urllib/request.py", line 563, in error |  
  |   | 2024-12-04 07:02:46.454 | response = self.parent.error( |  
  |   | 2024-12-04 07:02:46.454 | [2024-12-04 06:02:46,453: ERROR/ForkPoolWorker-1] fetch_url[27de5b0d-8070-4415-a0c6-ee104dce1003]: Error warming up cache! |  
  |   | 2024-12-04 07:02:46.450 | flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF session token is missing. |  
  |   | 2024-12-04 07:02:46.450 | raise CSRFError(reason) |  
  |   | 2024-12-04 07:02:46.450 | File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 307, in _error_response |  
  |   | 2024-12-04 07:02:46.450 | self._error_response(e.args[0]) |  
  |   | 2024-12-04 07:02:46.450 | wtforms.validators.ValidationError: The CSRF session token is missing. |  
  |   | 2024-12-04 07:02:46.450 | raise ValidationError("The CSRF session token is missing.") |  
  |   | 2024-12-04 07:02:46.450 | 2024-12-04 06:02:46,449:WARNING:superset.views.error_handling:HTTPException |  
  |   | 2024-12-04 07:02:46.449 | flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF session token is missing. |  
  |   | 2024-12-04 07:02:46.449 | raise CSRFError(reason) |  
  |   | 2024-12-04 07:02:46.449 | File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 307, in _error_response |  
  |   | 2024-12-04 07:02:46.449 | self._error_response(e.args[0]) |  
  |   | 2024-12-04 07:02:46.449 | wtforms.validators.ValidationError: The CSRF session token is missing. |  
  |   | 2024-12-04 07:02:46.449 | raise ValidationError("The CSRF session token is missing.")

Before the 4.1.1 update, I still had this issue, but it was a 404 error instead.

I tried to fix this by expanding CSRF exemption list, to no avail:

WTF_CSRF_EXEMPT_LIST = [
    "superset.views.core.log",
    "superset.views.core.explore_json",
    "superset.charts.data.api.data",
    "superset.dashboards.api.cache_dashboard_screenshot",
    "superset.views.core.warm_up_cache",  # Added endpoint
]

Screenshots/recordings

No response

Superset version

4.1.1

Python version

3.10

Node version

I don't know

Browser

Chrome

Additional context

TALISMAN_CONFIG = {
    "content_security_policy": {
        "base-uri": ["'self'"],
        "default-src": ["'self'"],
        "img-src": [
            "'self'",
            "blob:",
            "data:",
            "https://apachesuperset.gateway.scarf.sh",
            "https://static.scarf.sh/",
            "https://avatars.slack-edge.com",  # Uncomment when SLACK_ENABLE_AVATARS is True
        ],
        "worker-src": ["'self'", "blob:"],
        "connect-src": [
            "'self'",
            "https://api.mapbox.com",
            "https://events.mapbox.com",
            "ws://superset-ws:8080/",
        ],
        "object-src": "'none'",
        "style-src": [
            "'self'",
            "'unsafe-inline'",
        ],
        "script-src": ["'self'", "'strict-dynamic'"],
    },
    "content_security_policy_nonce_in": ["script-src"],
    "force_https": False,
    "session_cookie_secure": False,
}

FEATURE_FLAGS = {
    "ALERTS_ATTACH_REPORTS": True,
    "ALERT_REPORTS": True,
    "ALERT_REPORTS_TABS": True,
    "ALERT_REPORT_SLACK_V2": True,
    "DASHBOARD_RBAC": True,
    "DASHBOARD_VIRTUALIZATION": True,
    "DRILL_TO_DETAIL": True,
    "DRILL_BY": True,
    "ENABLE_TEMPLATE_PROCESSING": True,
    "ENABLE_EXPLORE_DRAG_AND_DROP": True,
    "ENABLE_DASHBOARD_SCREENSHOT_ENDPOINTS": True,
    "ENABLE_DASHBOARD_DOWNLOAD_WEBDRIVER_SCREENSHOT": True,
    "ENABLE_DND_WITH_CLICK_UX": True,
    "GENERIC_CHART_AXES": True,
    "GLOBAL_ASYNC_QUERIES": True,
    "HORIZONTAL_FILTER_BAR": True,
    "PLAYWRIGHT_REPORTS_AND_THUMBNAILS": True,
    "TAGGING_SYSTEM": True,
    "THUMBNAILS": True,
    "THUMBNAILS_SQLA_LISTENERS": True,
    "SLACK_ENABLE_AVATARS": True,
}

Checklist

• I have searched Superset docs and Slack and didn't find a solution to my problem.
• I have searched the GitHub issue tracker and didn't find a similar bug report.
• I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[AnTapTanhCode]

you can try #31173

[dosubot]

I found a similar discussion regarding CSRF token issues in Superset, which might be relevant to your situation. The discussion titled "[QA][superset & keycloak] flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF token is missing](#28250)" addresses a similar error. A suggested solution from a related closed issue was to set TALISMAN_ENABLED to False in the configuration, which resolved the problem for multiple users ^[1].

Additionally, ensure that the CSRF token is correctly fetched and included in the headers for API requests. In Superset's Celery task for cache warming, the fetch_csrf_token function is used to update the headers with the CSRF token before making the API request ^[2]. You might want to verify that this process is correctly implemented in your setup.

To continue talking to Dosu, mention @dosu.

[hanslemm]

Thanks @AnTapTanhCode - true, this #31173 is precisely the solution.