AIP-84 : Add JWT token revokation for logout invalidation (#47952)#61339
Conversation
anishgirianish
requested review from
XD-DENG,
ashb,
bugraoz93,
choo121600,
ephraimbuddy,
jason810496,
pierrejeambrun,
rawwar,
shubhamraj-git and
vincbeck
as code owners
boring-cyborg
bot
added
area:API
There was a problem hiding this comment.
Nice! Thanks for the PR and it LGTM.
I think this PR is on the correct direction to resolve #47952.
airflow-core/src/airflow/api_fastapi/auth/managers/base_auth_manager.py
Outdated
Show resolved
Hide resolved
airflow-core/src/airflow/api_fastapi/auth/managers/base_auth_manager.py
Outdated
Show resolved
Hide resolved
airflow-core/src/airflow/api_fastapi/core_api/routes/public/auth.py
Outdated
Show resolved
Hide resolved
airflow-core/src/airflow/api_fastapi/core_api/routes/public/auth.py
Outdated
Show resolved
Hide resolved
airflow-core/src/airflow/api_fastapi/core_api/routes/public/auth.py
Outdated
Show resolved
Hide resolved
airflow-core/src/airflow/api_fastapi/core_api/routes/public/auth.py
Outdated
Show resolved
Hide resolved
airflow-core/src/airflow/api_fastapi/core_api/routes/public/auth.py
Outdated
Show resolved
Hide resolved
airflow-core/tests/unit/api_fastapi/core_api/routes/public/test_auth.py
Outdated
Show resolved
Hide resolved
anishgirianish
force-pushed
the
feature/47952-aip-token-invalidation-on-logout
branch
2 times, most recently
from
0c84287 to
e7f823e
Compare
airflow-core/src/airflow/api_fastapi/core_api/routes/public/auth.py
Outdated
Show resolved
Hide resolved
jason810496
left a comment
jason810496
left a comment
There was a problem hiding this comment.
These added tests were already part of the existing TestLogout class.,
My bad, I overstated the the TestLogout class above.
Nice! Regarding the public method Vincent mentioned, the tests look good, and rest of the changes LGTM. Thanks!
anishgirianish
force-pushed
the
feature/47952-aip-token-invalidation-on-logout
branch
from
e7f823e to
3be8480
Compare
|
Nice. Tests need to be fixed of course, and I think we should also add another thing - auto cleanup not only on clean_db but run (not always - just from time to time - we could store in memory last time when it was run and run it after an hour passes or so - when a token is checked. That will slightly slow down some login attempts - but it will also auto-clean the db when |
anishgirianish
force-pushed
the
feature/47952-aip-token-invalidation-on-logout
branch
2 times, most recently
from
3b52ca2 to
0c51fff
Compare
jason810496
left a comment
jason810496
left a comment
There was a problem hiding this comment.
Nice! Thanks for addressing the comments and fixing the tests.
…t is_revoked mock
anishgirianish
force-pushed
the
feature/47952-aip-token-invalidation-on-logout
branch
from
397534c to
5e0c33b
Compare
bugraoz93
left a comment
bugraoz93
left a comment
There was a problem hiding this comment.
Nice, thanks @anishgirianish!
|
I would like to call this PR for the #protm, which is solving a good problem for the token lifecycle. Additionally, it opens the door for great security improvement(s), such as a token invalidation endpoint for administrators in case of a token leak. |
Agree! |
jason810496
left a comment
jason810496
left a comment
There was a problem hiding this comment.
I would like to call this PR for the protm if no one disagrees :)
+1 for that!
6 participants
Summary
revoked_tokentable to persist revoked JWT token JTIs on logoutjtiis extracted and stored with itsexptimestampget_user_from_tokenchecks if thejtihas been revoked before allowing accessdb_cleanupmechanismcloses: #47952