Re: [PR] AIP-84 : Add JWT token revokation for logout invalidation (#47952) [airflow]

Mon, 02 Feb 2026 07:59:28 -0800 


anishgirianish commented on code in PR #61339:
URL: https://github.com/apache/airflow/pull/61339#discussion_r2755064479


##########
airflow-core/tests/unit/api_fastapi/core_api/routes/public/test_auth.py:
##########
@@ -100,3 +101,39 @@ def test_should_respond_307(
         if delete_cookies:
             cookies = response.headers.get_list("set-cookie")
             assert any(f"{COOKIE_NAME_JWT_TOKEN}=" in c for c in cookies)
+
+    @patch("airflow.models.revoked_token.RevokedToken")
+    def test_logout_blacklists_token(self, mock_revoked_token, test_client):
+        """Test that logout blacklists the JWT token's jti."""
+        test_client.app.state.auth_manager.get_url_logout.return_value = None
+        token_payload = {"sub": "admin", "jti": "test-jti-123", "exp": 
9999999999}
+        token_str = jwt.encode(token_payload, "secret", algorithm="HS256")
+
+        test_client.cookies.set(COOKIE_NAME_JWT_TOKEN, token_str)
+        response = test_client.get("/auth/logout", follow_redirects=False)
+
+        assert response.status_code == 307
+        mock_revoked_token.revoke.assert_called_once()
+        call_args = mock_revoked_token.revoke.call_args
+        assert call_args[0][0] == "test-jti-123"
+
+    @patch("airflow.models.revoked_token.RevokedToken")
+    def test_logout_without_cookie_does_not_blacklist(self, 
mock_revoked_token, test_client):
+        """Test that logout without a cookie does not attempt to blacklist."""
+        test_client.app.state.auth_manager.get_url_logout.return_value = None
+
+        response = test_client.get("/auth/logout", follow_redirects=False)
+
+        assert response.status_code == 307
+        mock_revoked_token.revoke.assert_not_called()
+
+    @patch("airflow.models.revoked_token.RevokedToken")
+    def test_logout_with_malformed_cookie_does_not_blacklist(self, 
mock_revoked_token, test_client):
+        """Test that logout with a malformed cookie does not raise and does 
not blacklist."""
+        test_client.app.state.auth_manager.get_url_logout.return_value = None
+        test_client.cookies.set(COOKIE_NAME_JWT_TOKEN, "not-a-valid-jwt")
+
+        response = test_client.get("/auth/logout", follow_redirects=False)
+
+        assert response.status_code == 307
+        mock_revoked_token.revoke.assert_not_called()

Review Comment:
   removed mock



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to