anishgirianish opened a new pull request, #61339: URL: https://github.com/apache/airflow/pull/61339
<!-- Thank you for contributing! Please provide above a brief description of the changes made in this pull request. Write a good git commit message following this guide: http://chris.beams.io/posts/git-commit/ Please make sure that your code changes are covered with tests. And in case of new features or big changes remember to adjust the documentation. Feel free to ping (in general) for the review if you do not see reaction for a few days (72 Hours is the minimum reaction time you can expect from volunteers) - we sometimes miss notifications. In case of an existing issue, reference it using one of the following: * closes: #ISSUE * related: #ISSUE --> ## Summary - Adds a `revoked_token` table to persist revoked JWT token JTIs on logout - On logout, the token's `jti` is extracted and stored with its `exp` timestamp - On every authenticated request, `get_user_from_token` checks if the `jti` has been revoked before allowing access - Expired revoked tokens are automatically cleaned up via the existing `db_cleanup` mechanism ## Design decisions - **No in-memory cache**: The current implementation checks the DB on every request. For most Airflow deployments this is sufficient given the low request volume relative to high-traffic APIs. If this becomes a bottleneck, we can add an LRU cache or Redis-backed lookup — happy to discuss the right caching strategy in a follow-up if the community has preferences. - **Inclusive naming**: Uses `RevokedToken` / `revoke()` / `is_revoked()` instead of blocklist/denylist terminology. - **Sync `revoke()` / async `is_revoked()`**: `revoke()` is sync because the logout endpoint is sync. - `is_revoked()` is async because `get_user_from_token` is async. * closes: #47952 * Read the **[Pull Request Guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#pull-request-guidelines)** for more information. Note: commit author/co-author name and email in commits become permanently public when merged. * For fundamental code changes, an Airflow Improvement Proposal ([AIP](https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+Improvement+Proposals)) is needed. * When adding dependency, check compliance with the [ASF 3rd Party License Policy](https://www.apache.org/legal/resolved.html#category-x). * For significant user-facing changes create newsfragment: `{pr_number}.significant.rst` or `{issue_number}.significant.rst`, in [airflow-core/newsfragments](https://github.com/apache/airflow/tree/main/airflow-core/newsfragments). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
