Re: [PR] Add self-service JWT token generation to the Airflow UI [airflow]

Mon, 09 Mar 2026 22:55:46 -0700 


dheerajturaga commented on PR #63195:
URL: https://github.com/apache/airflow/pull/63195#issuecomment-4028893246

   > Thanks for the feature — self-service token generation from the UI is a 
nice UX improvement. Two things I'd flag before we proceed:
   > 
   > **1. No error feedback on token generation failure** 
`TokenGenerationModal.tsx:88-99`
   > 
   > When the API call fails (network error, 401, 500, etc.), the modal 
silently stops loading with no feedback to the user. Every other 
mutation-handling component in the codebase surfaces errors via `ErrorAlert` or 
`toaster.create()` (see `CreateAssetEventModal`, `DeleteXComButton`, etc.).
   > 
   > Switching from raw `fetch()` to the already-generated 
`useAuthLinksServiceGenerateToken` hook (which this PR creates in `queries.ts` 
but never imports) would get you error handling, base URL support for subpath 
deployments, and auth header injection for free:
   > 
   > ```ts
   > const { isPending, mutate: generateToken } = 
useAuthLinksServiceGenerateToken({
   >   onSuccess: (data) => {
   >     setGeneratedToken(data.access_token);
   >     setExpiresIn(data.expires_in_seconds);
   >   },
   >   onError: () => {
   >     toaster.create({
   >       description: translate("tokenGeneration.errorDescription"),
   >       title: translate("tokenGeneration.errorTitle"),
   >       type: "error",
   >     });
   >   },
   > });
   > ```
   > 
   > The hardcoded `fetch("/ui/auth/token", ...)` also bypasses the OpenAPI 
client's configured base URL, which would break in subpath deployments.
   > 
   > **2. No audit trail for credential minting** `routes/ui/auth.py:57-76`
   > 
   > Token generation is a security-sensitive operation — a compromised UI 
session could silently mint long-lived API tokens (up to 24h) with no trace. 
Public API mutation endpoints use `@action_logging`; while UI routes don't 
currently use that decorator, minting a JWT that works outside the browser 
session is fundamentally different from reading UI data. At minimum, a 
`log.info` call recording the user identity, token type, and expiration would 
give administrators visibility:
   > 
   > ```python
   > log.info(
   >     "User %s generated a %s token (expires in %d seconds)",
   >     user.get_name(),
   >     body.token_type.value,
   >     expiration_seconds,
   > )
   > ```
   
   Thanks for the through review @XD-DENG ! I have addressed these


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to