wolfdn opened a new pull request, #62771:
URL: https://github.com/apache/airflow/pull/62771
<!-- SPDX-License-Identifier: Apache-2.0
https://www.apache.org/licenses/LICENSE-2.0 -->
<!--
Thank you for contributing!
Please provide above a brief description of the changes made in this pull
request.
Write a good git commit message following this guide:
http://chris.beams.io/posts/git-commit/
Please make sure that your code changes are covered with tests.
And in case of new features or big changes remember to adjust the
documentation.
Feel free to ping (in general) for the review if you do not see reaction for
a few days
(72 Hours is the minimum reaction time you can expect from volunteers) - we
sometimes miss notifications.
In case of an existing issue, reference it using one of the following:
* closes: #ISSUE
* related: #ISSUE
-->
## Description
At the moment the `_token` in cookies is always scoped to the root `/` of
the domain Airflow is running in. This can be a problem when a Airflow instance
is not running on the root of the domain, but in a subpath (can be configured
using the
[base_url](https://airflow.apache.org/docs/apache-airflow/stable/configurations-ref.html#base-url)
parameter).
In that case, the `_token` cookie that was created for a user after login
will also be sent to other applications that run under the same domain.
This PR scopes the `_token` in cookies to the subpath in which a Airflow
instance is actually running in.
In this PR there are some unit tests included to verify this behaviour but
it can also be tested locally as follows:
- Run Airflow in a subpath: `BREEZE_INIT_COMMAND='export
AIRFLOW__API__BASE_URL="http://localhost:8080/team-a";' breeze start-airflow`
- Open a private browser window (to make sure there are not cookies present
for localhost) and open the following URL: http://localhost:28080/team-a
- Login (default credentials are admin admin)
- Using developer tools of your browser (e.g. in Firefox CTRL+SHIFT+I) you
can see that the `_token` cookie now contains the path `/team-a`
Scoping the `_token` cookie to the base_url has some usability advantages
(switching between Airflow instances under the same domain without signing in
and out on each switch), but it also has some security implications.
---
##### Was generative AI tooling used to co-author this PR?
<!--
If generative AI tooling has been used in the process of authoring this PR,
please
change below checkbox to `[X]` followed by the name of the tool, uncomment
the "Generated-by".
-->
- [x] Yes (please specify the tool below)
GitHub Copilot - Claude Opus 4.6
<!--
Generated-by: [Tool Name] following [the
guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions)
-->
---
* Read the **[Pull Request
Guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#pull-request-guidelines)**
for more information. Note: commit author/co-author name and email in commits
become permanently public when merged.
* For fundamental code changes, an Airflow Improvement Proposal
([AIP](https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+Improvement+Proposals))
is needed.
* When adding dependency, check compliance with the [ASF 3rd Party License
Policy](https://www.apache.org/legal/resolved.html#category-x).
* For significant user-facing changes create newsfragment:
`{pr_number}.significant.rst` or `{issue_number}.significant.rst`, in
[airflow-core/newsfragments](https://github.com/apache/airflow/tree/main/airflow-core/newsfragments).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
