Error in /api/v1/security/csrf_token/ 422 "msg": "Subject must be a string"

[RenePab]

Bug description

I have installed the latest version of the master branch and ran docker compose up and got everything working fine through the browser and I could even log in through the API endpoint using postman:
http://localhost:8088/api/v1/security/login

the problem is that this endpoint:
http://localhost:8088/api/v1/security/csrf_token/
is returning:
status: 422 UNPROCESSABLE ENTITY
{
"msg": "Subject must be a string"
}

this is the access token generated by the login endpoint:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6dHJ1ZSwiaWF0IjoxNzM1NzcwNzkwLCJqdGkiOiIzZDYzMThhYi05NTYyLTQxZmUtOGJmNS0zMzNiMTU5YmM4NDAiLCJ0eXBlIjoiYWNjZXNzIiwic3ViIjoxLCJuYmYiOjE3MzU3NzA3OTAsImNzcmYiOiIzYTMxOGZhMi0wMTI0LTQ5YzctYjQzZi03YjFhMDU3YzlmZjEiLCJleHAiOjE3MzU3NzE2OTB9.fIc111JN4WysrHIfhQVyLSzVi6VAvnhi18UPX3jLJLw

{
"fresh": true,
"iat": 1735770790,
"jti": "3d6318ab-9562-41fe-8bf5-333b159bc840",
"type": "access",
"sub": 1,
"nbf": 1735770790,
"csrf": "3a318fa2-0124-49c7-b43f-7b1a057c9ff1",
"exp": 1735771690
}

Screenshots/recordings

No response

Superset version

master / latest-dev

Python version

3.9

Node version

16

Browser

Chrome

Additional context

No response

Checklist

• I have searched Superset docs and Slack and didn't find a solution to my problem.
• I have searched the GitHub issue tracker and didn't find a similar bug report.
• I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[dosubot]

Hello, @RenePab! I'm here to help you with any bugs, questions, or contributions you have for the project. Let's tackle this issue together!

The error message "Subject must be a string" occurs because the 'sub' claim in the JWT token payload is an integer, but the CSRF token endpoint requires it to be a string. This is a known issue when using the latest version of the master branch in Superset ^[1].

A recommended workaround is to use the Superset CLI for automation tasks instead of the API, as there is no direct way to modify the 'sub' claim in the Ansible workflow ^[1].

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

[k4p1l]

"sub": 1
convert it to string and then generate the JWT token.
"sub":"1"

[rusackas]

Assuming the answer above solves @RenePab 's issue, I'll go ahead and close this (especially since it doesn't seem like a Superset bug in this case). Holler if there's more that needs to be addressed here.

[onionhammer]

"This is a known issue" -> proceeds to close issue

[leschiffres]

@rusackas I also encountered this issue when I installed the latest superset version. The following code was working normally and when I updated the superset version I was getting the error that @RenePab was getting.

import requests
base_url = "http://localhost:8088/"
# Start a session to maintain cookies across requests
session = requests.Session()

payload = {
    "username": "admin",
    "password": "admin",
    "provider": "db"
}

# Login and get the access token
r = session.post(base_url + 'api/v1/security/login', json=payload)
access_token = r.json()['access_token']

print(access_token)

# Add the access token to the session headers
session.headers.update({
    "Authorization": "Bearer " + access_token
})

# Request the CSRF token
r = session.get(base_url + 'api/v1/security/csrf_token/')
csrf_token = r.json()['result']

print(csrf_token)

# Update headers with the CSRF token
session.headers.update({
    'Content-Type': 'application/json',
    'X-CSRF-TOKEN': csrf_token
})

# Prepare payload for guest token request
payload = {
    "resources": [
        {
            "type": "dashboard",
            "id": "23680d7e-ba50-4a4e-94f0-3974994656ea",
        }
    ],
    "rls": [],
    "user": {
        "username": "report-viewer",
        "first_name": "report-viewer",
        "last_name": "report-viewer",
    }
}

# Request the guest token
r = session.post(base_url + 'api/v1/security/guest_token/', json=payload)

# Print the response
print(r.json()['token'])

[rusackas]

Happy to reopen the issue.

@onionhammer it seemed like a field that requires being a string should be populated with a string... that didn't seem like a "bug" so I closed it. We're all volunteering here, trying to keep an actionable backlog... no need to be snarky.

@leschiffres if you can narrow it down to the line(s) that changed, maybe you can do a git blame and see which PR changed it and why?

[amitesh-ciq]

#31675 (comment)
I am also getting the same issue.
+1

[leschiffres]

@rusackas I am not entirely sure which lines might be.

I tried to uninstall the current version of superset and install an earlier version, but the issue persists.

I then tried to completely delete the superset metadata by deleting the .superset/ folder but I ended up causing a completely different issue and now nothing really works.