(airflow) branch main updated: fix: Add FAB configs for cookie security (#53542)

Fri, 01 Aug 2025 07:21:04 -0700 

This is an automated email from the ASF dual-hosted git repository.

vincbeck pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new fa0918902f8 fix: Add FAB configs for cookie security (#53542)
fa0918902f8 is described below

commit fa0918902f8bbd95aa6742d0e658aaa3d4ace253
Author: Lipu Fei <[email protected]>
AuthorDate: Fri Aug 1 16:20:52 2025 +0200

    fix: Add FAB configs for cookie security (#53542)
---
 airflow-core/src/airflow/cli/commands/config_command.py | 4 ++++
 providers/fab/src/airflow/providers/fab/www/app.py      | 6 ++++++
 providers/fab/www-hash.txt                              | 2 +-
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/airflow-core/src/airflow/cli/commands/config_command.py 
b/airflow-core/src/airflow/cli/commands/config_command.py
index ab620f37687..0c30ce111af 100644
--- a/airflow-core/src/airflow/cli/commands/config_command.py
+++ b/airflow-core/src/airflow/cli/commands/config_command.py
@@ -345,6 +345,8 @@ CONFIGS_CHANGES = [
     ),
     ConfigChange(
         config=ConfigParameter("webserver", "cookie_samesite"),
+        renamed_to=ConfigParameter("fab", "cookie_samesite"),
+        breaking=True,
     ),
     ConfigChange(
         config=ConfigParameter("webserver", "audit_view_included_events"),
@@ -570,6 +572,8 @@ CONFIGS_CHANGES = [
     ),
     ConfigChange(
         config=ConfigParameter("webserver", "cookie_secure"),
+        renamed_to=ConfigParameter("fab", "cookie_secure"),
+        breaking=True,
         was_deprecated=False,
     ),
     ConfigChange(
diff --git a/providers/fab/src/airflow/providers/fab/www/app.py 
b/providers/fab/src/airflow/providers/fab/www/app.py
index ea7a59b9e4e..ee6541d2dbb 100644
--- a/providers/fab/src/airflow/providers/fab/www/app.py
+++ b/providers/fab/src/airflow/providers/fab/www/app.py
@@ -61,6 +61,12 @@ def create_app(enable_plugins: bool):
     flask_app.config["SQLALCHEMY_TRACK_MODIFICATIONS"] = False
     flask_app.config["PERMANENT_SESSION_LIFETIME"] = 
timedelta(minutes=get_session_lifetime_config())
 
+    flask_app.config["SESSION_COOKIE_HTTPONLY"] = True
+    if conf.has_option("fab", "COOKIE_SECURE"):
+        flask_app.config["SESSION_COOKIE_SECURE"] = conf.getboolean("fab", 
"COOKIE_SECURE")
+    if conf.has_option("fab", "COOKIE_SAMESITE"):
+        flask_app.config["SESSION_COOKIE_SAMESITE"] = conf.get("fab", 
"COOKIE_SAMESITE")
+
     webserver_config = conf.get_mandatory_value("fab", "config_file")
     # Enable customizations in webserver_config.py to be applied via 
Flask.current_app.
     with flask_app.app_context():
diff --git a/providers/fab/www-hash.txt b/providers/fab/www-hash.txt
index cf28a576399..f27a39fa77f 100644
--- a/providers/fab/www-hash.txt
+++ b/providers/fab/www-hash.txt
@@ -1 +1 @@
-1ba327c123e0aa04d01fdcc7259e72b7cd0ff2df607fe95d8aeb524247a2a62e
+7c75393001a5280d25bca03d39c13ec8072a12a3628628398379473fa85da21e

Reply via email to