Copilot commented on code in PR #64955:
URL: https://github.com/apache/airflow/pull/64955#discussion_r3066481056
##########
airflow-core/src/airflow/api_fastapi/core_api/routes/public/auth.py:
##########
@@ -66,12 +66,22 @@ def logout(request: Request, auth_manager: AuthManagerDep)
-> RedirectResponse:
auth_manager.revoke_token(token_str)
secure = request.base_url.scheme == "https" or bool(conf.get("api",
"ssl_cert", fallback=""))
+ cookie_path = get_cookie_path()
response = RedirectResponse(auth_manager.get_url_login())
response.delete_cookie(
key=COOKIE_NAME_JWT_TOKEN,
- path=get_cookie_path(),
+ path=cookie_path,
secure=secure,
httponly=True,
)
+ # Clear any stale _token cookie at root path "/" left by
+ # older Airflow instances to prevent redirect loops.
+ if cookie_path != "/":
+ response.delete_cookie(
+ key=COOKIE_NAME_JWT_TOKEN,
Review Comment:
The new logout behavior conditionally deletes the `_token` cookie at both
the configured subpath and at `Path=/` (when `cookie_path != "/"`), but there
is no test asserting that the extra root-path deletion header is emitted.
Please extend the existing logout route tests (e.g.
`TestLogout.test_logout_cookie_uses_subpath`) to verify a second `Set-Cookie`
entry is present with `Path=/` when `get_cookie_path()` returns a subpath.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
