vincbeck commented on code in PR #55506:
URL: https://github.com/apache/airflow/pull/55506#discussion_r2359910752
##########
airflow-core/src/airflow/api_fastapi/core_api/security.py:
##########
@@ -96,14 +97,22 @@ async def resolve_user_from_token(token_str: str | None) ->
BaseUser:
async def get_user(
+ request: Request,
oauth_token: str | None = Depends(oauth2_scheme),
bearer_credentials: HTTPAuthorizationCredentials | None =
Depends(bearer_scheme),
) -> BaseUser:
- token_str = None
+ # A user might have been already built by a middleware, if so, it is
stored in `request.state.user`
+ user: BaseUser | None = getattr(request.state, "user", None)
+ if user:
+ return user
+
+ token_str: str | None
if bearer_credentials and bearer_credentials.scheme.lower() == "bearer":
token_str = bearer_credentials.credentials
elif oauth_token:
token_str = oauth_token
+ else:
+ token_str = request.cookies.get(COOKIE_NAME_JWT_TOKEN)
Review Comment:
You think? I think cookie should be the fallback, if a token is provided
(though `bearers` or `oauth_token`) they should be priority in my opinion
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
