(airflow) 04/30: Handle invalid token in `JWTRefreshMiddleware` (#56904)

Mon, 08 Dec 2025 08:37:19 -0800 

This is an automated email from the ASF dual-hosted git repository.

ephraimanierobi pushed a commit to branch v3-1-test
in repository https://gitbox.apache.org/repos/asf/airflow.git

commit 42984c5926cd04a2b81b86eea3ccefc3286ed5ab
Author: Vincent <[email protected]>
AuthorDate: Mon Oct 20 16:25:15 2025 -0400

    Handle invalid token in `JWTRefreshMiddleware` (#56904)
    
    (cherry picked from commit d0e6222ef8cabcd4c4add4baf9a0eab7172e5ada)
---
 .../airflow/api_fastapi/auth/middlewares/refresh_token.py  |  7 +++++--
 .../api_fastapi/auth/middlewares/test_refresh_token.py     | 14 +++++++++++++-
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git 
a/airflow-core/src/airflow/api_fastapi/auth/middlewares/refresh_token.py 
b/airflow-core/src/airflow/api_fastapi/auth/middlewares/refresh_token.py
index f304eb9517f..81ed8448734 100644
--- a/airflow-core/src/airflow/api_fastapi/auth/middlewares/refresh_token.py
+++ b/airflow-core/src/airflow/api_fastapi/auth/middlewares/refresh_token.py
@@ -17,7 +17,7 @@
 # under the License.
 from __future__ import annotations
 
-from fastapi import Request
+from fastapi import HTTPException, Request
 from starlette.middleware.base import BaseHTTPMiddleware
 
 from airflow.api_fastapi.app import get_auth_manager
@@ -64,5 +64,8 @@ class JWTRefreshMiddleware(BaseHTTPMiddleware):
 
     @staticmethod
     async def _refresh_user(current_token: str) -> BaseUser | None:
-        user = await resolve_user_from_token(current_token)
+        try:
+            user = await resolve_user_from_token(current_token)
+        except HTTPException:
+            return None
         return get_auth_manager().refresh_user(user=user)
diff --git 
a/airflow-core/tests/unit/api_fastapi/auth/middlewares/test_refresh_token.py 
b/airflow-core/tests/unit/api_fastapi/auth/middlewares/test_refresh_token.py
index 87648a2be2b..e87b7c3fd2f 100644
--- a/airflow-core/tests/unit/api_fastapi/auth/middlewares/test_refresh_token.py
+++ b/airflow-core/tests/unit/api_fastapi/auth/middlewares/test_refresh_token.py
@@ -20,7 +20,7 @@ from __future__ import annotations
 from unittest.mock import AsyncMock, MagicMock, patch
 
 import pytest
-from fastapi import Request, Response
+from fastapi import HTTPException, Request, Response
 
 from airflow.api_fastapi.auth.managers.base_auth_manager import 
COOKIE_NAME_JWT_TOKEN
 from airflow.api_fastapi.auth.managers.models.base_user import BaseUser
@@ -72,6 +72,18 @@ class TestJWTRefreshMiddleware:
         mock_resolve_user_from_token.assert_called_once_with("valid_token")
         mock_auth_manager.generate_jwt.assert_not_called()
 
+    
@patch("airflow.api_fastapi.auth.middlewares.refresh_token.resolve_user_from_token")
+    @pytest.mark.asyncio
+    async def test_dispatch_expired_token(self, mock_resolve_user_from_token, 
middleware, mock_request):
+        mock_request.cookies = {COOKIE_NAME_JWT_TOKEN: "invalid_token"}
+        mock_resolve_user_from_token.side_effect = 
HTTPException(status_code=403)
+
+        call_next = AsyncMock(return_value=Response())
+        await middleware.dispatch(mock_request, call_next)
+
+        call_next.assert_called_once_with(mock_request)
+        mock_resolve_user_from_token.assert_called_once_with("invalid_token")
+
     @pytest.mark.asyncio
     
@patch("airflow.api_fastapi.auth.middlewares.refresh_token.get_auth_manager")
     
@patch("airflow.api_fastapi.auth.middlewares.refresh_token.resolve_user_from_token")

Reply via email to