CSRF configuration is missing the WTF_ prefix

[zachliu]

Apache Airflow version:

Kubernetes version (if you are using kubernetes) (use kubectl version):

Environment:

• Cloud provider or hardware configuration: AWS ECS
• OS (e.g. from /etc/os-release): Ubuntu 18.04 bionic
• Kernel (e.g. uname -a): 4.15.0-1065-aws
• Install tools:
• Others:

What happened:
I have been trying to update a certain CSRF configuration (WTF_CSRF_TIME_LIMIT) because I've been annoyed by the CSRF token has expired error message whenever I stayed on a page for more than 1 hour and wanted to refresh.

What you expected to happen:
In webserver_config.py there is a CSRF_ENABLED = True. So I added CSRF_TIME_LIMIT = None after that line. But it didn't work. After reading https://github.com/lepture/flask-wtf/blob/v0.14.2/flask_wtf/csrf.py, I realized that we needed WTF_CSRF_TIME_LIMIT in my webserver_config.py. The WTF_ prefix cannot be omitted.

How to reproduce it:

1. Add CSRF_TIME_LIMIT = None after CSRF_ENABLED = True in webserver_config.py.
2. Re-deploy.
3. Go to any DAG's tree view.
4. Stay there for more than 1 hour.
5. Click the Refresh button.
6. See the CSRF token has expired error message

Anything else we need to know:

I already forked Airflow. I guess I'll submit a simple PR to add the WTF_ prefix

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template!

[mik-laj]

#8613
Is it related? Can you check it?

[zachliu]

it's unrelated

[ashb]

I'm not quite sure what you are asking us to do here -- the webserver_config.py that airflow generates does not set a time limit, CSRF_TIME_LIMIT or WTF_CSRF_TIME_LIMIT.

Once airflow has generated that file you are in control of what you put in it -- it lives in your Airflow install, not the airflow code base.

Unless I've misunderstood here, there's nothing for us to do, and you've already found the correct setting to set.

[zachliu]

I'm not quite sure what you are asking us to do here -- the webserver_config.py that airflow generates does not set a time limit, CSRF_TIME_LIMIT or WTF_CSRF_TIME_LIMIT.

Once airflow has generated that file you are in control of what you put in it -- it lives in your Airflow install, not the airflow code base.

Unless I've misunderstood here, there's nothing for us to do, and you've already found the correct setting to set.

my bad, i should describe it more clearly
the CSRF_ENABLED = True in this file in airflow's code base

airflow/airflow/config_templates/default_webserver_config.py

Line 37 in 51d9557

CSRF_ENABLED = True

should be

WTF_CSRF_ENABLED = True

without WTF_ that line is useless

[ashb]

@zachliu Ahha gotcha, yes. PR to fix that for new installs (we can't do anything about existing/already generated webserver_config.py, but at least it would stop some people tearing their hair out.)