Re: [I] Endpoint /api/me/roles returns 401 "Not authorized" despite valid access token [superset]

Tue, 19 Mar 2024 10:14:25 -0700 


bryanjknight commented on issue #25740:
URL: https://github.com/apache/superset/issues/25740#issuecomment-2007716238

   > > Digging into this more, it seems `/api/v1/security/login` does not set a 
session cookie; hence, the `/api/v1/me` and underlying calls fail b/c there's 
no session cookie
   > 
   > I am facing the same issue Normally, how can I get the session cookie? if 
`/api/v1/security/login` doesn't return it, is there any other way to login and 
get cookie? how did superset work if there is no session cookie?
   
   I had to do a hack (**emphasis on hack**: this is not production ready code, 
please review it b/c if done wrong it creates a security hole) to basically 
take a JWT, verify it, find the corresponding user, then login that user again. 
The result is a cookie getting set on response:
   
   ```
   class CustomOAuthView(AuthOAuthView):
   
       @expose('/custom/session-by-jwt', methods=['GET'])
       def session_by_jwt(self, provider= None):
           # get the jwt in the request
           current_jwt = request.headers.get('Authorization').split(' ')[1]
   
           # decode the jwt to get the claims
           import jwt
           try:
               jwt_options = {
                   'verify_signature': False, # TODO: get the public key from 
the jwks_uri to verify the signature
                   'verify_exp': True,
                   'verify_nbf': False,
                   'verify_iat': True,
                   'verify_aud': False
               }
               jwt_decoded = jwt.decode(jwt=str.encode(current_jwt), 
algorithms=['HS256'], options=jwt_options)
   
               # get the user from the jwt
               user = self.appbuilder.sm.find_user(email=jwt_decoded['sub'])
   
               # create a session cookie for the user
               login_user(user)
           except Exception as e:
               print(f"Exception: {e}")
               return "Invalid JWT"
           return "session_by_jwt"  
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org

Reply via email to