Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API Key authentication should take precedence over cookies #3770

Closed
arikfr opened this issue May 6, 2019 · 0 comments · Fixed by #3877
Closed

API Key authentication should take precedence over cookies #3770

arikfr opened this issue May 6, 2019 · 0 comments · Fixed by #3877
Assignees
@rauchy
Labels
Backend enhancement
Milestone
Next

Comments

@arikfr
Copy link
Member

arikfr commented May 6, 2019

Currently when you're logged in as a user, you can't use embeds or shared dashboards for which you do not have access -- even if you provide the API key. This is because the current user is being defined by the session cookie and the API key is being ignored.

We need to change this behavior so the API key takes precedence. From a quick look at Flask-Login's documentation, it seems that it calls user_loader first and only if this fails will try the requets_loader.

Unless this is configurable, we might need to change user_loader to always return None and implement our own logic in request_loader.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rauchy rauchy

Labels
Backend enhancement
Projects
None yet
Milestone
Next
Development

Successfully merging a pull request may close this issue.

Authorize according to API key (if given) over cookies getredash/redash
2 participants
@arikfr @rauchy