Re: [I] Logging out from Web UI raises Airflow 405 error [airflow]

Thu, 26 Dec 2024 09:08:16 -0800 


Spaarsh commented on issue #40470:
URL: https://github.com/apache/airflow/issues/40470#issuecomment-2562959175

   It took me a while to triage this issue. I went through the master-branch 
code as well as the last released source code of airflow (2.10.4). I think I 
may have a way of solving this. Please correct me if I am wrong!
   
   ### Triaging
   I thoroughly went through the entirety of the auth-related code (to the best 
of my ability). There is no wrong method being called. But since the FAB 
requires us to not allow any GET requests at the /logout API endpoint, the HTML 
can't be rendered when a user manually enters the URL in the browser point.
   
   Before moving further though, I wanted to ensure that the /logout endpoint 
does work for POST requests. There is one instance of a JS code sending a POST 
request to the /logout endpoint via the ```no_roles_permissions.html```, where 
there is a logout button. In order to test this, I created a user with no roles 
using the command:
   ```
   airflow users create \
       --username no_roles_user \
       --firstname No \
       --lastname Roles \
       --email [email protected] \
       --password your_password \
       --role Public
   ```
   
   When I then went to the /home page, the expected page showed up:
   
![image](https://github.com/user-attachments/assets/3593d7d9-3c63-4475-a674-afad514607c4)
   
   When I clicked on the "logout" button, I was successfully able to log out, 
indicating no fault at the endpoint itself.
   
   ### Solution
   Hence my solution is as follows:
   We can create a new endpoint such as ```/logout_page``` which renders an 
HTML which has a logout button. The logout button has a JS event handler that 
sends the POST request to the /logout endpoint, resulting in successful logout 
using GUI.
   
   This way, the GET request doesn't happen on our /logout endpoint itself 
(thus not violating any FAB requirements) while also enabling a GUI-based 
logout action.
   
   If this is the correct approach, I am willing to open a PR.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to