wolfdn opened a new pull request, #64955:
URL: https://github.com/apache/airflow/pull/64955
<!-- SPDX-License-Identifier: Apache-2.0
https://www.apache.org/licenses/LICENSE-2.0 -->
<!--
Thank you for contributing!
Please provide above a brief description of the changes made in this pull
request.
Write a good git commit message following this guide:
http://chris.beams.io/posts/git-commit/
Please make sure that your code changes are covered with tests.
And in case of new features or big changes remember to adjust the
documentation.
Feel free to ping (in general) for the review if you do not see reaction for
a few days
(72 Hours is the minimum reaction time you can expect from volunteers) - we
sometimes miss notifications.
In case of an existing issue, reference it using one of the following:
* closes: #ISSUE
* related: #ISSUE
-->
## Problem Description
This PR fixes a bug that was introduced by this PR:
https://github.com/apache/airflow/pull/62771
When multiple Airflow instances are hosted on the same domain under
different subpaths
(e.g. `/team-a/airflow/`, `/team-b/airflow/`), users who previously visited
an older
Airflow instance end up in an infinite redirect loop on the newer instance.
The older instance sets the `_token` cookie at `Path=/`. The newer instance
scopes its
cookie to the subpath (e.g. `Path=/team-a/airflow/`). When the browser sends
both cookies,
the `JWTRefreshMiddleware` detects the stale root-path token as invalid and
clears it —
but only at the subpath. The root-path cookie is never removed, so it keeps
being sent on
every subsequent request:
```
GET /team-a/airflow/ (with stale _token at Path=/)
→ middleware rejects token, deletes cookie for Path=/team-a/airflow/
→ 307 redirect to login
GET /team-a/airflow/auth/login (root _token still present)
→ middleware rejects token again, deletes cookie for Path=/team-a/airflow/
→ 302 redirect to /team-a/airflow/auth/
→ ...infinite loop
```
## Solution
When the middleware or the logout endpoint clears the `_token` cookie and
the configured
cookie path is not `/`, also delete the cookie at `Path=/`. This removes the
stale
root-path cookie on the very first failed validation, breaking the loop
immediately.
## Changes
-
**`airflow-core/src/airflow/api_fastapi/auth/middlewares/refresh_token.py`** -
When invalidating an expired/invalid token, also `delete_cookie` at
`Path=/`
- **`airflow-core/src/airflow/api_fastapi/core_api/routes/public/auth.py`** -
On logout, also `delete_cookie` at `Path=/`
---
##### Was generative AI tooling used to co-author this PR?
<!--
If generative AI tooling has been used in the process of authoring this PR,
please
change below checkbox to `[X]` followed by the name of the tool, uncomment
the "Generated-by".
-->
- [x] Yes (please specify the tool below)
GitHub Copilot - Claude Opus 4.6
<!--
Generated-by: [Tool Name] following [the
guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions)
-->
---
* Read the **[Pull Request
Guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#pull-request-guidelines)**
for more information. Note: commit author/co-author name and email in commits
become permanently public when merged.
* For fundamental code changes, an Airflow Improvement Proposal
([AIP](https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+Improvement+Proposals))
is needed.
* When adding dependency, check compliance with the [ASF 3rd Party License
Policy](https://www.apache.org/legal/resolved.html#category-x).
* For significant user-facing changes create newsfragment:
`{pr_number}.significant.rst`, in
[airflow-core/newsfragments](https://github.com/apache/airflow/tree/main/airflow-core/newsfragments).
You can add this file in a follow-up commit after the PR is created so you
know the PR number.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
