From 79d5b439c6072e31d4d06e2a7d7dc5c5df8cb779 Mon Sep 17 00:00:00 2001
From: Ash Berlin-Taylor <ash_github@firemirror.com>
Date: Wed, 15 Jul 2020 11:24:29 +0100
Subject: [PATCH] Disabling CSRF is a security risk - and not needed

Closes #73, #72
---
 README.md                  | 9 +--------
 plugins/rest_api_plugin.py | 8 ++++++++
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index aa5389d..ea3cdce 100644
--- a/README.md
+++ b/README.md
@@ -96,14 +96,7 @@ The plugin also includes other custom REST APIs.
 
     b. Follow the "Enabling Authentication" section below.
 
-7. We need to replace the `CSRF_ENABLED` attribute with `WTF_CSRF_ENABLED`. 
-   This change is required to support the POST method when RBAC is enabled with JWT.
-   Please add the following property in the `{AIRFLOW_HOME}/webserver_config.py` file.
-
-        # Flask-WTF flag for CSRF
-        WTF_CSRF_ENABLED = False
-
-8. Restart the Airflow Web Server
+7. Restart the Airflow Web Server
 
 ### Enabling Authentication
 
diff --git a/plugins/rest_api_plugin.py b/plugins/rest_api_plugin.py
index 9c14d77..f9ec8f1 100644
--- a/plugins/rest_api_plugin.py
+++ b/plugins/rest_api_plugin.py
@@ -22,6 +22,13 @@
 from flask_jwt_extended.view_decorators import jwt_required, verify_jwt_in_request
 
 
+try:
+    from airflow.www_rbac.app import csrf as rbac_csrf
+except ImportError:
+    def rbac_csrf():
+        pass
+    rbac_csrf.exempt = lambda view: view
+
 """
 CLIs this REST API exposes are Defined here: http://airflow.incubator.apache.org/cli.html
 """
@@ -805,6 +812,7 @@ def index(self):
     @csrf.exempt  # Exempt the CSRF token
     @admin_expose('/api', methods=["GET", "POST"])  # for Flask Admin
     # for Flask AppBuilder
+    @rbac_csrf.exempt  # Exempt the CSRF token
     @app_builder_expose('/api', methods=["GET", "POST"])
     @http_token_secure  # On each request
     @jwt_token_secure  # On each request