ashb commented on PR #53907: URL: https://github.com/apache/airflow/pull/53907#issuecomment-3198171855
The fact that this might not be enabled by default doesn't by itself make it secure. > Any "non-user" automation out there could use POST request directly and we could generate enough info for the automation to construct the POST properly with CSRF tokens etc. Exactly. Essentially what I'm asking is (and I think this is what Brent and Jarek are suggesting?), is instead of creating a whole new URL endpoint and a database model, can't we "deep link" to the page in the Airflow UI with the form filled out appropriately, and then the user can click there. And as for the "respond" end point: we need to remove that. It's a parallel API we have to maintain. Either the public API is fit for purpose, or we should change that to make it more user friendly. We shouldn't be maintaining two APIs to do the same thing. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
