The GitHub Actions job "Tests" on airflow.git/main has failed. Run started by GitHub user potiuk (triggered by potiuk).
Head commit for run: 2ebec1630d62a88fab4e8d86b9b8595a34d73323 / Josef Gustafson <[email protected]> Fix OAuth session race condition causing false 401 errors during login (#61287) * Fix OAuth session race condition causing false 401 errors during login Fixes #57981 When users authenticate via Azure OAuth SSO (and other OAuth providers), the UI briefly displays an authentication error message during the OAuth redirect flow. The error appears for approximately 1 second before disappearing once authentication successfully completes. Root Cause: The issue stems from a race condition during the OAuth authentication flow. After the OAuth callback completes and the user is authenticated, the Flask session containing OAuth tokens and user data may not be fully committed to the session backend (cookie or database) before the redirect response is sent to the client. When the UI loads and immediately makes API requests (like /ui/config), these requests arrive before the session is available, causing temporary 401 Unauthorized errors. Solution: This commit introduces a CustomAuthOAuthView that extends Flask-AppBuilder's AuthOAuthView to explicitly ensure the session is committed before redirecting. The fix: 1. Created providers/fab/src/airflow/providers/fab/auth_manager/views/auth_oauth.py with CustomAuthOAuthView class 2. Override oauth_authorized() method to mark session.modified = True after parent's OAuth callback handling completes 3. Updated security_manager/override.py to use CustomAuthOAuthView instead of the default AuthOAuthView This ensures Flask's session interface saves the session via the after_request handler before the HTTP redirect response is sent to the client, eliminating the race condition. The fix addresses the root cause as suggested by maintainer feedback on PR #58037, rather than masking the error in the UI. Testing: - Syntax validated with py_compile - Works with both session backends (database and securecookie) - Maintains backward compatibility with existing OAuth flows Related Issues: - #55612 - Airflow UI initial XHR returns 401 before session cookie is set - #57534 - Airflow 3.1.1 oauth login failure - #57485 - Airflow 3.1.1 oauth login broken - PR #58037 - Previous UI-based workaround attempt (closed) Signed-off-by: Jgprog117 <[email protected]> * Fix logging to use %-formatting instead of f-strings * Add tests for CustomAuthOAuthView * Fix linting and formatting issues in OAuth session race condition fix Remove unused imports, fix import ordering, and apply ruff formatting: - Remove unused pytest import from test_auth_oauth.py - Remove unused AuthOAuthView import from override.py - Fix import ordering to comply with ruff formatting rules - Apply ruff format to test file * Address PR review feedback from SameerMesiah97 - Remove redundant if/else branching that did the same thing in both paths - Fix misleading "completed successfully" log message to neutral wording - Replace brittle __class__.__bases__[0] mocking with explicit AuthOAuthView - Consolidate duplicate backend tests into a single parametrized test * Fix test RuntimeError by avoiding Flask session LocalProxy access Use mock.patch with new= as context manager instead of decorator to prevent mock from inspecting the Flask session LocalProxy, which requires an active request context. --------- Signed-off-by: Jgprog117 <[email protected]> Report URL: https://github.com/apache/airflow/actions/runs/21614077022 With regards, GitHub Actions via GitBox --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
