vincbeck commented on code in PR #34349:
URL: https://github.com/apache/airflow/pull/34349#discussion_r1349194668
##########
airflow/www/extensions/init_views.py:
##########
@@ -308,5 +318,16 @@ def init_api_experimental(app):
"The authenticated user has full access.",
RemovedInAirflow3Warning,
)
+ base_paths.append("/api/experimental")
app.register_blueprint(endpoints.api_experimental,
url_prefix="/api/experimental")
app.extensions["csrf"].exempt(endpoints.api_experimental)
+
+
+def init_api_auth_provider(app):
+ """Initialize the API offered by the auth manager."""
+ auth_mgr = get_auth_manager()
+ blueprint = auth_mgr.get_api_blueprint()
+ if blueprint is not None:
+ base_paths.append(blueprint.url_prefix)
+ app.register_blueprint(blueprint)
+ app.extensions["csrf"].exempt(blueprint)
Review Comment:
While making the updates, I have a second thought and I am wondering if this
is a good idea. In Airflow we seem to make a particular case for the Rest API:
- As already mentioned we disable the csrf protection (even though as you
said we can do it case by case)
- We handle errors differently if this is a view or the Rest API. See
https://github.com/apache/airflow/blame/main/airflow/www/extensions/init_views.py#L240
So I am wondering if we should not update the method from `def
get_api_blueprint(self) -> None | Blueprint:` to `def get_api(self) -> None |
FlaskApi:`.
That way, we force the user to use it only for API and is no longer able to
register any blueprint. Thoughts?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
