Fix redirect loop when stale root-path _token cookie exists from older Airflow instance#64955
Conversation
…der Airflow instance
There was a problem hiding this comment.
Nice thanks for the PR and the findings.
Only the refresh path has an updated test.
Do you mind also adding a similar test for the 'logout' part.
Adding code to clear the root cookies on every call when we are on a sub domain doesn't look maintainable / efficient.
Also isn't this because of your setup / migration? Like users now have a stale root cookies and they need to clean there local env to access again then this root cookie will never be set again since subdomain are handled?
Like I understand the PR linked above broke your setup. (people using subdomain) until they clear their local storage, and that is sort of a 'migration' helper, or is that solving a problem that can happen on a normal setup?
There was a problem hiding this comment.
Pull request overview
Fixes an infinite redirect loop that can occur when multiple Airflow instances are hosted under different subpaths on the same domain and a stale root-path (Path=/) _token cookie from an older instance is still present.
Changes:
- Update
JWTRefreshMiddlewareto clear_tokenat both the configured cookie subpath and atPath=/when invalidating a token. - Update the logout route to also delete the
_tokencookie atPath=/when the configured cookie path is a subpath. - Add a unit test covering middleware behavior when clearing cookies under a subpath.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| airflow-core/src/airflow/api_fastapi/auth/middlewares/refresh_token.py | Deletes a stale root-path _token cookie when expiring/invalidating the token under a subpath. |
| airflow-core/src/airflow/api_fastapi/core_api/routes/public/auth.py | On logout, deletes _token at the configured subpath and additionally at Path=/ when applicable. |
| airflow-core/tests/unit/api_fastapi/auth/middlewares/test_refresh_token.py | Adds coverage ensuring middleware emits deletion headers for both subpath and root cookie paths. |
…ists from older Airflow instance (#64955) * Fix redirect loop when stale root-path `_token` cookie exists from older Airflow instance * Adapt conditions to clear stale root path cookies * Extend test for clearing stale root path cookies on logout (cherry picked from commit ad269ed) Co-authored-by: Daniel Wolf <[email protected]>
Backport successfully created: v3-2-testNote: As of Merging PRs targeted for Airflow 3.X In matter of doubt please ask in #release-management Slack channel.
|
…ists from older Airflow instance (#64955) (#65177) * Fix redirect loop when stale root-path `_token` cookie exists from older Airflow instance * Adapt conditions to clear stale root path cookies * Extend test for clearing stale root path cookies on logout (cherry picked from commit ad269ed) Co-authored-by: Daniel Wolf <[email protected]>
…ists from older Airflow instance (#64955) (#65177) * Fix redirect loop when stale root-path `_token` cookie exists from older Airflow instance * Adapt conditions to clear stale root path cookies * Extend test for clearing stale root path cookies on logout (cherry picked from commit ad269ed) Co-authored-by: Daniel Wolf <[email protected]>
…ists from older Airflow instance (#64955) (#65177) * Fix redirect loop when stale root-path `_token` cookie exists from older Airflow instance * Adapt conditions to clear stale root path cookies * Extend test for clearing stale root path cookies on logout (cherry picked from commit ad269ed) Co-authored-by: Daniel Wolf <[email protected]>
…ists from older Airflow instance (#64955) (#65177) * Fix redirect loop when stale root-path `_token` cookie exists from older Airflow instance * Adapt conditions to clear stale root path cookies * Extend test for clearing stale root path cookies on logout (cherry picked from commit ad269ed) Co-authored-by: Daniel Wolf <[email protected]>
…ists from older Airflow instance (#64955) (#65177) * Fix redirect loop when stale root-path `_token` cookie exists from older Airflow instance * Adapt conditions to clear stale root path cookies * Extend test for clearing stale root path cookies on logout (cherry picked from commit ad269ed) Co-authored-by: Daniel Wolf <[email protected]>
Problem Description
This PR fixes a bug that was introduced by this PR: #62771
When multiple Airflow instances are hosted on the same domain under different subpaths
(e.g.
/team-a/airflow/,/team-b/airflow/), users who previously visited an olderAirflow instance end up in an infinite redirect loop on the newer instance.
The older instance sets the
_tokencookie atPath=/. The newer instance scopes itscookie to the subpath (e.g.
Path=/team-a/airflow/). When the browser sends both cookies,the
JWTRefreshMiddlewaredetects the stale root-path token as invalid and clears it —but only at the subpath. The root-path cookie is never removed, so it keeps being sent on
every subsequent request:
Solution
When the middleware or the logout endpoint clears the
_tokencookie and the configuredcookie path is not
/, also delete the cookie atPath=/. This removes the staleroot-path cookie on the very first failed validation, breaking the loop immediately.
Changes
airflow-core/src/airflow/api_fastapi/auth/middlewares/refresh_token.py-When invalidating an expired/invalid token, also
delete_cookieatPath=/airflow-core/src/airflow/api_fastapi/core_api/routes/public/auth.py-On logout, also
delete_cookieatPath=/Was generative AI tooling used to co-author this PR?
GitHub Copilot - Claude Opus 4.6
{pr_number}.significant.rst, in airflow-core/newsfragments. You can add this file in a follow-up commit after the PR is created so you know the PR number.