Disabling CSRF is a security risk - and not needed

README.md

@@ -96,14 +96,7 @@ The plugin also includes other custom REST APIs.
 
  b. Follow the "Enabling Authentication" section below.
 
-7. We need to replace the `CSRF_ENABLED` attribute with `WTF_CSRF_ENABLED`. 
- This change is required to support the POST method when RBAC is enabled with JWT.
- Please add the following property in the `{AIRFLOW_HOME}/webserver_config.py` file.
-
- # Flask-WTF flag for CSRF
- WTF_CSRF_ENABLED = False
-
-8. Restart the Airflow Web Server
+7. Restart the Airflow Web Server
 
 ### Enabling Authentication
 

plugins/rest_api_plugin.py

@@ -22,6 +22,13 @@
 from flask_jwt_extended.view_decorators import jwt_required, verify_jwt_in_request
 
 
+try:
+ from airflow.www_rbac.app import csrf as rbac_csrf
+except ImportError:
+ def rbac_csrf():
+ pass
+ rbac_csrf.exempt = lambda view: view
+
 """
 CLIs this REST API exposes are Defined here: http://airflow.incubator.apache.org/cli.html
 """
@@ -805,6 +812,7 @@ def index(self):
  @csrf.exempt # Exempt the CSRF token
  @admin_expose('/api', methods=["GET", "POST"]) # for Flask Admin
  # for Flask AppBuilder
+ @rbac_csrf.exempt # Exempt the CSRF token
  @app_builder_expose('/api', methods=["GET", "POST"])
  @http_token_secure # On each request
  @jwt_token_secure # On each request