This is an automated email from the ASF dual-hosted git repository.
pierrejeambrun pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new a7cc0f9d45d Secure AWS auth cookies behind TLS proxies (#69898)
a7cc0f9d45d is described below
commit a7cc0f9d45d4aaedff48692c6e173e303b5d98c7
Author: Shae Alhusayni <[email protected]>
AuthorDate: Wed Jul 15 05:10:19 2026 -0700
Secure AWS auth cookies behind TLS proxies (#69898)
TLS is commonly terminated upstream, leaving api.ssl_cert empty even though
browsers reach Airflow over HTTPS.
---
.../airflow/providers/amazon/aws/auth_manager/routes/login.py | 2 +-
.../tests/unit/amazon/aws/auth_manager/routes/test_login.py | 11 ++++++++---
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git
a/providers/amazon/src/airflow/providers/amazon/aws/auth_manager/routes/login.py
b/providers/amazon/src/airflow/providers/amazon/aws/auth_manager/routes/login.py
index 5f7dcb84bcd..d88c2b15252 100644
---
a/providers/amazon/src/airflow/providers/amazon/aws/auth_manager/routes/login.py
+++
b/providers/amazon/src/airflow/providers/amazon/aws/auth_manager/routes/login.py
@@ -118,7 +118,7 @@ def login_callback(request: Request):
if relay_state == "login-redirect":
response = RedirectResponse(url=url, status_code=303)
- secure = bool(conf.get("api", "ssl_cert", fallback=""))
+ secure = request.base_url.scheme == "https" or bool(conf.get("api",
"ssl_cert", fallback=""))
# In Airflow 3.1.1 authentication changes, front-end no longer handle
the token
# See https://github.com/apache/airflow/pull/55506
cookie_path = get_cookie_path()
diff --git
a/providers/amazon/tests/unit/amazon/aws/auth_manager/routes/test_login.py
b/providers/amazon/tests/unit/amazon/aws/auth_manager/routes/test_login.py
index b24ec8b1bf7..350b1b9afe4 100644
--- a/providers/amazon/tests/unit/amazon/aws/auth_manager/routes/test_login.py
+++ b/providers/amazon/tests/unit/amazon/aws/auth_manager/routes/test_login.py
@@ -80,7 +80,7 @@ def test_client():
yield TestClient(create_app())
-def get_login_callback_response(relay_state: str):
+def get_login_callback_response(relay_state: str, *, base_url: str =
"http://testserver"):
with conf_vars(
{
(
@@ -88,7 +88,7 @@ def get_login_callback_response(relay_state: str):
"auth_manager",
):
"airflow.providers.amazon.aws.auth_manager.aws_auth_manager.AwsAuthManager",
("aws_auth_manager", "saml_metadata_url"): SAML_METADATA_URL,
- ("api", "ssl_cert"): "false",
+ ("api", "ssl_cert"): "",
}
):
with (
@@ -112,7 +112,7 @@ def get_login_callback_response(relay_state: str):
"email": ["email"],
}
mock_init_saml_auth.return_value = auth
- client = TestClient(create_app())
+ client = TestClient(create_app(), base_url=base_url)
return client.post(
AUTH_MANAGER_FASTAPI_APP_PREFIX + "/login_callback",
follow_redirects=False,
@@ -141,6 +141,11 @@ class TestLoginRouter:
assert "_token" in response.cookies
assert
response.headers["location"].startswith("http://localhost:8080/")
+ def test_login_callback_sets_secure_cookie_behind_tls_proxy(self):
+ response = get_login_callback_response("login-redirect",
base_url="https://testserver")
+
+ assert "Secure" in response.headers["set-cookie"]
+
def test_login_callback_successful_with_relay_state_token(self):
response = get_login_callback_response("login-token")
assert response.status_code == 200