This is an automated email from the ASF dual-hosted git repository.
kaxilnaik pushed a commit to branch v3-0-test
in repository https://gitbox.apache.org/repos/asf/airflow.git
commit 97754ea21dcfb9db926975ee826c8e1d6bc81233
Author: github-actions[bot]
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Thu Apr 24 12:19:34 2025 -0400
Fix infinite redirect caused by mistakenly setting token cookie as secure
(#49721) (#49733)
`api/ssl_cert` has a default value of "" so `has_option` is always returning
true, so we have to find in a slightly more complex way of telling if this
setting is turned on.
I have also updated the Simple security manager to look at X-Forwarded-Proto
so that if there is a reverse proxy in front (and if Airflow is configured
to
trust that) then it sets the secure flag
(cherry picked from commit 76edd92cc0a66603cd934a365566ca97c1fe7055)
Co-authored-by: Ash Berlin-Taylor <[email protected]>
* Update airflow-core/docs/core-concepts/auth-manager/index.rst
---------
Co-authored-by: Ash Berlin-Taylor <[email protected]>
---
airflow-core/docs/core-concepts/auth-manager/index.rst | 2 +-
.../airflow/api_fastapi/auth/managers/simple/routes/login.py | 10 +++++++---
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/airflow-core/docs/core-concepts/auth-manager/index.rst
b/airflow-core/docs/core-concepts/auth-manager/index.rst
index 417bad407db..95cd05aae4f 100644
--- a/airflow-core/docs/core-concepts/auth-manager/index.rst
+++ b/airflow-core/docs/core-concepts/auth-manager/index.rst
@@ -148,7 +148,7 @@ delete the cookie.
response = RedirectResponse(url="/")
- secure = conf.has_option("api", "ssl_cert")
+ secure = bool(conf.get("api", "ssl_cert", fallback=""))
response.set_cookie(COOKIE_NAME_JWT_TOKEN, token, secure=secure)
return response
diff --git
a/airflow-core/src/airflow/api_fastapi/auth/managers/simple/routes/login.py
b/airflow-core/src/airflow/api_fastapi/auth/managers/simple/routes/login.py
index c901692d8f9..82875ceb123 100644
--- a/airflow-core/src/airflow/api_fastapi/auth/managers/simple/routes/login.py
+++ b/airflow-core/src/airflow/api_fastapi/auth/managers/simple/routes/login.py
@@ -17,7 +17,7 @@
from __future__ import annotations
-from fastapi import status
+from fastapi import Request, status
from starlette.responses import RedirectResponse
from airflow.api_fastapi.auth.managers.base_auth_manager import
COOKIE_NAME_JWT_TOKEN
@@ -57,10 +57,14 @@ def create_token_all_admins() -> LoginResponse:
status_code=status.HTTP_307_TEMPORARY_REDIRECT,
responses=create_openapi_http_exception_doc([status.HTTP_403_FORBIDDEN]),
)
-def login_all_admins() -> RedirectResponse:
+def login_all_admins(request: Request) -> RedirectResponse:
"""Login the user with no credentials."""
response = RedirectResponse(url=conf.get("api", "base_url", fallback="/"))
- secure = conf.has_option("api", "ssl_cert")
+
+ # The default config has this as an empty string, so we can't use
`has_option`.
+ # And look at the request info (needs `--proxy-headers` flag to api-server)
+ secure = request.base_url.scheme == "https" or bool(conf.get("api",
"ssl_cert", fallback=""))
+
response.set_cookie(
COOKIE_NAME_JWT_TOKEN,
SimpleAuthManagerLogin.create_token_all_admins(),
