tirkarthi commented on issue #60265: URL: https://github.com/apache/airflow/issues/60265#issuecomment-3739193142
I might be missing something here since the token is already validated at the middleware. The concern was that we validate the token to get the user object to throw it away in fab refresh_user and again validate it in UserDep. This is about setting the validated user object to request.state.user to be reused later in the request cycle. As per my understanding below happens * If the request has incorrect token then there will not be any user to be set to request.app.state and the UserDep will raise an exception. * If the request has correct token then the user object fetched from the database/cache if the worker served the user already and the UserDep will use the user object from request.app.state instead of additional query. The issue is that if user is deleted then the user will still be able to get responses through a cached worker till the cache expires for the ttl. If caching is not feasible due to security concerns the middleware could atleast set the user object to be used by UserDep which will help as the user object exists in the same request cycle. https://github.com/apache/airflow/blob/67c95c3f80a07ac42e4c39c3aac6c31cb36417f8/airflow-core/src/airflow/api_fastapi/auth/middlewares/refresh_token.py#L72 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
