GitHub user rsaleev added a comment to the discussion: Custom SecurityManager
issues with /embedded view
@dosu
how to fix CSRF token needed for /superset/log/ when requested after /embedded?
May be manually set CSRF token?
Because after that request it tries to authenticate user and redirects to
/login/ page
```
06/Mar/2026:09:25:59 +0000] "GET /health HTTP/1.1" 200 2 "-" "kube-probe/1.32"
2026-03-06 09:25:59,653:INFO:flask_wtf.csrf:The CSRF token is missing.
2026-03-06 09:25:59,653:WARNING:superset.views.error_handling:Refresh CSRF
token error
Traceback (most recent call last):
File "/app/.venv/lib/python3.12/site-packages/flask_wtf/csrf.py", line 261,
in protect
validate_csrf(self._get_csrf_token())
File "/app/.venv/lib/python3.12/site-packages/flask_wtf/csrf.py", line 100,
in validate_csrf
raise ValidationError("The CSRF token is missing.")
wtforms.validators.ValidationError: The CSRF token is missing.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/app/.venv/lib/python3.12/site-packages/flask/app.py", line 1482, in
full_dispatch_request
rv = self.preprocess_request()
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/.venv/lib/python3.12/site-packages/flask/app.py", line 1974, in
preprocess_request
rv = self.ensure_sync(before_func)()
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/.venv/lib/python3.12/site-packages/flask_wtf/csrf.py", line 229,
in csrf_protect
self.protect()
File "/app/.venv/lib/python3.12/site-packages/flask_wtf/csrf.py", line 264,
in protect
self._error_response(e.args[0])
File "/app/.venv/lib/python3.12/site-packages/flask_wtf/csrf.py", line 307,
in _error_response
raise CSRFError(reason)
flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF token is missing.
2026-03-06 09:25:59,655:DEBUG:superset.async_events.async_query_manager:Token
reset False
95.31.11.203 - - [06/Mar/2026:09:25:59 +0000] "POST
/superset/log/?explode=events HTTP/1.1" 302
```
referrer
`"https://my-domain/embedded/b1dc9391-2e05-4e86-bb79-9d4dfe2c3ea0?uiConfig=0&expand_filters=false&standalone=2";
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0"`
I use custom init_app now, but error still exists
```
def _user_is_guest(sm):
if request.headers.get("X-GuestToken"):
return True
if hasattr(g, "user"):
user = g.user
if hasattr(user, "is_guest") and sm.is_guest_user(g.user):
return True
if hasattr(user, "username") and "guest" in user.username:
return True
return False
def _handle_guest_request(sm):
guest_user = sm.get_guest_user_from_request(request)
guest_user_id = str(uuid4())
guest_role_name = current_app.config.get("GUEST_ROLE_NAME", "Public")
guest_role = sm.find_role(guest_role_name) or sm.find_role("Public")
guest_user.roles = [guest_role]
guest_user.username = f"guest_{guest_user_id}"
log.debug(
f"✅ [auth_user_logged_in] Guest user: {guest_user.username} Guest
user role: {guest_role}"
)
login_user(guest_user, force=True)
g.user = guest_user
session["async_user_id"] = guest_user_id
# Make sure it's in the session
return
def _user_is_logged_in(sm):
if hasattr(g, "user") and g.user and g.user.is_authenticated:
return True
try:
if current_user.is_authenticated:
g.user = current_user
log.debug(
f"✅ [auth_user_logged_in] Set g.user from current_user:
{g.user.username}"
)
return True
except Exception as e:
log.debug(f"[auth_user_logged_in] current_user check failed: {e}")
user_id = session.get("_user_id")
if user_id:
try:
user =(
sm.session.query(sm.user_model)
.filter(sm.user_model.user_id == user_id)
.one_or_none()
)
if user:
g.user = user
log.debug(
f"✅ [auth_user_logged_in] Loaded user from session ID:
{user.username}"
)
login_user(user, force=False,
duration=PERMANENT_SESSION_LIFETIME)
return True
else:
log.warning(f"User ID {user_id} in session but not found in
DB")
session.pop("_user_id", None) # Clean up bad session
except Exception as e:
log.error(f"[auth_user_logged_in] Error loading user {user_id}:
{e}")
raise
return False
```
GitHub link:
https://github.com/apache/superset/discussions/38467#discussioncomment-16021130
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
