(airflow) branch main updated: Set SameSite=Lax on SimpleAuthManager all-admins login cookie (#66502)

Thu, 07 May 2026 07:00:59 -0700 

This is an automated email from the ASF dual-hosted git repository.

vincbeck pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new 314da4e4585 Set SameSite=Lax on SimpleAuthManager all-admins login 
cookie (#66502)
314da4e4585 is described below

commit 314da4e4585570c9bfc94b4b9d8c0535d333cdd2
Author: Jarek Potiuk <[email protected]>
AuthorDate: Thu May 7 16:00:38 2026 +0200

    Set SameSite=Lax on SimpleAuthManager all-admins login cookie (#66502)
    
    The all-admins login response set Secure (conditional on HTTPS) and
    HttpOnly on the JWT cookie but omitted SameSite. JWTRefreshMiddleware
    already sets samesite="lax" on the cookie it issues. Bring the login
    response in line so both code paths produce cookies with the same
    attributes.
    
    The cookie's Secure flag was already set conditionally based on HTTPS
    or configured ssl_cert — only SameSite was missing.
---
 .../src/airflow/api_fastapi/auth/managers/simple/routes/login.py         | 1 +
 .../tests/unit/api_fastapi/auth/managers/simple/routes/test_login.py     | 1 +
 2 files changed, 2 insertions(+)

diff --git 
a/airflow-core/src/airflow/api_fastapi/auth/managers/simple/routes/login.py 
b/airflow-core/src/airflow/api_fastapi/auth/managers/simple/routes/login.py
index f65aa71f223..fc5938a14cc 100644
--- a/airflow-core/src/airflow/api_fastapi/auth/managers/simple/routes/login.py
+++ b/airflow-core/src/airflow/api_fastapi/auth/managers/simple/routes/login.py
@@ -97,6 +97,7 @@ def login_all_admins(request: Request) -> RedirectResponse:
         path=get_cookie_path(),
         secure=secure,
         httponly=True,
+        samesite="lax",
     )
     return response
 
diff --git 
a/airflow-core/tests/unit/api_fastapi/auth/managers/simple/routes/test_login.py 
b/airflow-core/tests/unit/api_fastapi/auth/managers/simple/routes/test_login.py
index 8729b483b4a..85c24cf8ac8 100644
--- 
a/airflow-core/tests/unit/api_fastapi/auth/managers/simple/routes/test_login.py
+++ 
b/airflow-core/tests/unit/api_fastapi/auth/managers/simple/routes/test_login.py
@@ -85,6 +85,7 @@ class TestLogin:
             assert response.status_code == 307
             assert "location" in response.headers
             assert response.cookies.get("_token") is not None
+            assert "samesite=lax" in response.headers["set-cookie"].lower()
 
     def test_login_all_admins_config_disabled(self, test_client):
         response = test_client.get("/auth/token/login", follow_redirects=False)

Reply via email to