potiuk commented on PR #53907: URL: https://github.com/apache/airflow/pull/53907#issuecomment-3196096456
> I think we somewhat achieve what's needed, but I'm still not super comfortable with `GET` performing the update of the data. Would love to hear how the AIP authors think back to the time it was proposed Despite being somewhat "ok" from the security point of view I am also a bit uneasy with it. I think really better solution would be an action that requires a POST request with all the protection - and the GET link in email would lead to simple page where user could confirm the action that would sends a POST request to your server. \ This request could include a CSRF token to prevent unauthorized requests. This also has additional benefit that the user could actually see what they are confirming. Any "non-user" automation out there could use POST request directly and we could generate enough info for the automation to construct the POST properly with CSRF tokens etc. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
