ephraimbuddy commented on a change in pull request #15042:
URL: https://github.com/apache/airflow/pull/15042#discussion_r616877504
##########
File path: airflow/api_connexion/security.py
##########
@@ -14,24 +14,38 @@
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
-
from functools import wraps
from typing import Callable, Optional, Sequence, Tuple, TypeVar, cast
from flask import Response, current_app
+from flask_jwt_extended import verify_jwt_in_request
from airflow.api_connexion.exceptions import PermissionDenied, Unauthenticated
+from airflow.models import TokenBlockList
T = TypeVar("T", bound=Callable) # pylint: disable=invalid-name
+@current_app.appbuilder.sm.jwt_manager.token_in_blacklist_loader
+def check_if_token_in_blacklist(decrypted_token):
+ """Checks if there's a blocked token"""
+ jti = decrypted_token['jti']
+ return TokenBlockList.get_token(jti) is not None
+
+
def check_authentication() -> None:
"""Checks that the request has valid authorization information."""
response = current_app.api_auth.requires_authentication(Response)()
- if response.status_code != 200:
+ if response.status_code == 200:
+ return
+ try:
+ verify_jwt_in_request()
+ return
+ except Exception: # pylint: disable=broad-except
Review comment:
Because we also have auth_backend still in operation, capturing the
actual exception will lead to misinformation. For example, if user is using
auth_backend to make request, if the first one which is auth_backend fails and
it hit this point, if we capture invalid signature error, it will lead to
confusion for the user.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
