Skip to content

Fix redirect loop when stale root-path _token cookie exists from older Airflow instance#64955

Merged
jscheffl merged 3 commits into
apache:mainfrom
boschglobal:bugfix/correctly-handle-invalid-cookie-at-root-path
Apr 13, 2026
Merged

Fix redirect loop when stale root-path _token cookie exists from older Airflow instance#64955
jscheffl merged 3 commits into
apache:mainfrom
boschglobal:bugfix/correctly-handle-invalid-cookie-at-root-path

Conversation

@wolfdn

@wolfdn wolfdn commented Apr 9, 2026

Copy link
Copy Markdown
Contributor

Problem Description

This PR fixes a bug that was introduced by this PR: #62771

When multiple Airflow instances are hosted on the same domain under different subpaths
(e.g. /team-a/airflow/, /team-b/airflow/), users who previously visited an older
Airflow instance end up in an infinite redirect loop on the newer instance.

The older instance sets the _token cookie at Path=/. The newer instance scopes its
cookie to the subpath (e.g. Path=/team-a/airflow/). When the browser sends both cookies,
the JWTRefreshMiddleware detects the stale root-path token as invalid and clears it —
but only at the subpath. The root-path cookie is never removed, so it keeps being sent on
every subsequent request:

GET /team-a/airflow/  (with stale _token at Path=/)
  → middleware rejects token, deletes cookie for Path=/team-a/airflow/
  → 307 redirect to login
GET /team-a/airflow/auth/login  (root _token still present)
  → middleware rejects token again, deletes cookie for Path=/team-a/airflow/
  → 302 redirect to /team-a/airflow/auth/
  → ...infinite loop

Solution

When the middleware or the logout endpoint clears the _token cookie and the configured
cookie path is not /, also delete the cookie at Path=/. This removes the stale
root-path cookie on the very first failed validation, breaking the loop immediately.

Changes

  • airflow-core/src/airflow/api_fastapi/auth/middlewares/refresh_token.py -
    When invalidating an expired/invalid token, also delete_cookie at Path=/
  • airflow-core/src/airflow/api_fastapi/core_api/routes/public/auth.py -
    On logout, also delete_cookie at Path=/

Was generative AI tooling used to co-author this PR?
  • Yes (please specify the tool below)
    GitHub Copilot - Claude Opus 4.6

  • Read the Pull Request Guidelines for more information. Note: commit author/co-author name and email in commits become permanently public when merged.
  • For fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
  • When adding dependency, check compliance with the ASF 3rd Party License Policy.
  • For significant user-facing changes create newsfragment: {pr_number}.significant.rst, in airflow-core/newsfragments. You can add this file in a follow-up commit after the PR is created so you know the PR number.

@jscheffl jscheffl left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix!

@pierrejeambrun pierrejeambrun left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice thanks for the PR and the findings.

Only the refresh path has an updated test.

Do you mind also adding a similar test for the 'logout' part.

Adding code to clear the root cookies on every call when we are on a sub domain doesn't look maintainable / efficient.

Also isn't this because of your setup / migration? Like users now have a stale root cookies and they need to clean there local env to access again then this root cookie will never be set again since subdomain are handled?

Like I understand the PR linked above broke your setup. (people using subdomain) until they clear their local storage, and that is sort of a 'migration' helper, or is that solving a problem that can happen on a normal setup?

Comment thread airflow-core/src/airflow/api_fastapi/auth/middlewares/refresh_token.py Outdated
@kaxil kaxil requested a review from Copilot April 10, 2026 19:55

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes an infinite redirect loop that can occur when multiple Airflow instances are hosted under different subpaths on the same domain and a stale root-path (Path=/) _token cookie from an older instance is still present.

Changes:

  • Update JWTRefreshMiddleware to clear _token at both the configured cookie subpath and at Path=/ when invalidating a token.
  • Update the logout route to also delete the _token cookie at Path=/ when the configured cookie path is a subpath.
  • Add a unit test covering middleware behavior when clearing cookies under a subpath.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
airflow-core/src/airflow/api_fastapi/auth/middlewares/refresh_token.py Deletes a stale root-path _token cookie when expiring/invalidating the token under a subpath.
airflow-core/src/airflow/api_fastapi/core_api/routes/public/auth.py On logout, deletes _token at the configured subpath and additionally at Path=/ when applicable.
airflow-core/tests/unit/api_fastapi/auth/middlewares/test_refresh_token.py Adds coverage ensuring middleware emits deletion headers for both subpath and root cookie paths.

Comment thread airflow-core/src/airflow/api_fastapi/core_api/routes/public/auth.py
@jscheffl jscheffl merged commit ad269ed into apache:main Apr 13, 2026
272 of 273 checks passed
github-actions Bot pushed a commit that referenced this pull request Apr 13, 2026
…ists from older Airflow instance (#64955)

* Fix redirect loop when stale root-path `_token` cookie exists from older Airflow instance

* Adapt conditions to clear stale root path cookies

* Extend test for clearing stale root path cookies on logout
(cherry picked from commit ad269ed)

Co-authored-by: Daniel Wolf <[email protected]>
@github-actions

Copy link
Copy Markdown
Contributor

Backport successfully created: v3-2-test

Note: As of Merging PRs targeted for Airflow 3.X
the committer who merges the PR is responsible for backporting the PRs that are bug fixes (generally speaking) to the maintenance branches.

In matter of doubt please ask in #release-management Slack channel.

Status Branch Result
v3-2-test PR Link

jscheffl pushed a commit that referenced this pull request Apr 13, 2026
…ists from older Airflow instance (#64955) (#65177)

* Fix redirect loop when stale root-path `_token` cookie exists from older Airflow instance

* Adapt conditions to clear stale root path cookies

* Extend test for clearing stale root path cookies on logout
(cherry picked from commit ad269ed)

Co-authored-by: Daniel Wolf <[email protected]>
@vatsrahul1001 vatsrahul1001 added the type:bug-fix Changelog: Bug Fixes label Apr 14, 2026
vatsrahul1001 pushed a commit that referenced this pull request Apr 15, 2026
…ists from older Airflow instance (#64955) (#65177)

* Fix redirect loop when stale root-path `_token` cookie exists from older Airflow instance

* Adapt conditions to clear stale root path cookies

* Extend test for clearing stale root path cookies on logout
(cherry picked from commit ad269ed)

Co-authored-by: Daniel Wolf <[email protected]>
vatsrahul1001 pushed a commit that referenced this pull request Apr 15, 2026
…ists from older Airflow instance (#64955) (#65177)

* Fix redirect loop when stale root-path `_token` cookie exists from older Airflow instance

* Adapt conditions to clear stale root path cookies

* Extend test for clearing stale root path cookies on logout
(cherry picked from commit ad269ed)

Co-authored-by: Daniel Wolf <[email protected]>
vatsrahul1001 pushed a commit that referenced this pull request Apr 15, 2026
…ists from older Airflow instance (#64955) (#65177)

* Fix redirect loop when stale root-path `_token` cookie exists from older Airflow instance

* Adapt conditions to clear stale root path cookies

* Extend test for clearing stale root path cookies on logout
(cherry picked from commit ad269ed)

Co-authored-by: Daniel Wolf <[email protected]>
vatsrahul1001 pushed a commit that referenced this pull request Apr 15, 2026
…ists from older Airflow instance (#64955) (#65177)

* Fix redirect loop when stale root-path `_token` cookie exists from older Airflow instance

* Adapt conditions to clear stale root path cookies

* Extend test for clearing stale root path cookies on logout
(cherry picked from commit ad269ed)

Co-authored-by: Daniel Wolf <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:API Airflow's REST/HTTP API type:bug-fix Changelog: Bug Fixes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants