This is an automated email from the ASF dual-hosted git repository.

pierrejeambrun pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new a7cc0f9d45d Secure AWS auth cookies behind TLS proxies (#69898)
a7cc0f9d45d is described below

commit a7cc0f9d45d4aaedff48692c6e173e303b5d98c7
Author: Shae Alhusayni <[email protected]>
AuthorDate: Wed Jul 15 05:10:19 2026 -0700

    Secure AWS auth cookies behind TLS proxies (#69898)
    
    TLS is commonly terminated upstream, leaving api.ssl_cert empty even though 
browsers reach Airflow over HTTPS.
---
 .../airflow/providers/amazon/aws/auth_manager/routes/login.py |  2 +-
 .../tests/unit/amazon/aws/auth_manager/routes/test_login.py   | 11 ++++++++---
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git 
a/providers/amazon/src/airflow/providers/amazon/aws/auth_manager/routes/login.py
 
b/providers/amazon/src/airflow/providers/amazon/aws/auth_manager/routes/login.py
index 5f7dcb84bcd..d88c2b15252 100644
--- 
a/providers/amazon/src/airflow/providers/amazon/aws/auth_manager/routes/login.py
+++ 
b/providers/amazon/src/airflow/providers/amazon/aws/auth_manager/routes/login.py
@@ -118,7 +118,7 @@ def login_callback(request: Request):
 
     if relay_state == "login-redirect":
         response = RedirectResponse(url=url, status_code=303)
-        secure = bool(conf.get("api", "ssl_cert", fallback=""))
+        secure = request.base_url.scheme == "https" or bool(conf.get("api", 
"ssl_cert", fallback=""))
         # In Airflow 3.1.1 authentication changes, front-end no longer handle 
the token
         # See https://github.com/apache/airflow/pull/55506
         cookie_path = get_cookie_path()
diff --git 
a/providers/amazon/tests/unit/amazon/aws/auth_manager/routes/test_login.py 
b/providers/amazon/tests/unit/amazon/aws/auth_manager/routes/test_login.py
index b24ec8b1bf7..350b1b9afe4 100644
--- a/providers/amazon/tests/unit/amazon/aws/auth_manager/routes/test_login.py
+++ b/providers/amazon/tests/unit/amazon/aws/auth_manager/routes/test_login.py
@@ -80,7 +80,7 @@ def test_client():
             yield TestClient(create_app())
 
 
-def get_login_callback_response(relay_state: str):
+def get_login_callback_response(relay_state: str, *, base_url: str = 
"http://testserver";):
     with conf_vars(
         {
             (
@@ -88,7 +88,7 @@ def get_login_callback_response(relay_state: str):
                 "auth_manager",
             ): 
"airflow.providers.amazon.aws.auth_manager.aws_auth_manager.AwsAuthManager",
             ("aws_auth_manager", "saml_metadata_url"): SAML_METADATA_URL,
-            ("api", "ssl_cert"): "false",
+            ("api", "ssl_cert"): "",
         }
     ):
         with (
@@ -112,7 +112,7 @@ def get_login_callback_response(relay_state: str):
                 "email": ["email"],
             }
             mock_init_saml_auth.return_value = auth
-            client = TestClient(create_app())
+            client = TestClient(create_app(), base_url=base_url)
             return client.post(
                 AUTH_MANAGER_FASTAPI_APP_PREFIX + "/login_callback",
                 follow_redirects=False,
@@ -141,6 +141,11 @@ class TestLoginRouter:
         assert "_token" in response.cookies
         assert 
response.headers["location"].startswith("http://localhost:8080/";)
 
+    def test_login_callback_sets_secure_cookie_behind_tls_proxy(self):
+        response = get_login_callback_response("login-redirect", 
base_url="https://testserver";)
+
+        assert "Secure" in response.headers["set-cookie"]
+
     def test_login_callback_successful_with_relay_state_token(self):
         response = get_login_callback_response("login-token")
         assert response.status_code == 200

Reply via email to