GayathriSrividya commented on code in PR #68054:
URL: https://github.com/apache/airflow/pull/68054#discussion_r3385762558
##########
airflow-core/tests/unit/api_fastapi/execution_api/versions/head/test_router.py:
##########
@@ -67,3 +126,41 @@ def test_expiring_token_is_reissued(
assert "Refreshed-API-Token" in response.headers
else:
assert "Refreshed-API-Token" not in response.headers
+ # avalidated_claims must be called exactly once — by JWTBearer only, not
by the middleware.
+ auth.avalidated_claims.assert_awaited_once_with("dummy", {})
+
+
[email protected]_test
+def test_token_expiring_mid_request_is_reissued_without_revalidation(client,
exec_app: FastAPI, time_machine):
+ """Middleware reissues from cached JWTBearer claims without re-validating
the token.
+
+ Regression test for the TOCTOU race in JWTReissueMiddleware: a heartbeat
arrives with a
+ token that has ~0s left, JWTBearer validates it (still technically valid
at that moment),
+ the request completes, and the middleware runs. In the old code the
middleware would call
Review Comment:
@ashb working on your suggestions
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
