SameerMesiah97 commented on code in PR #61287: URL: https://github.com/apache/airflow/pull/61287#discussion_r2752088108
########## providers/fab/src/airflow/providers/fab/auth_manager/views/auth_oauth.py: ########## @@ -0,0 +1,85 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +"""Custom OAuth authentication view to fix session timing race condition.""" + +from __future__ import annotations + +import logging + +from flask import session +from flask_appbuilder.security.views import AuthOAuthView + +from airflow.configuration import conf + +log = logging.getLogger(__name__) + + +class CustomAuthOAuthView(AuthOAuthView): + """ + Custom OAuth authentication view that ensures session is committed before redirect. + + Fixes issue #57981 where UI requests fail with 401 during OAuth flow because + the Flask session is not yet committed when the redirect response is sent. + """ + + def oauth_authorized(self, provider): + """ + OAuth callback handler that explicitly commits session before redirect. + + This method overrides the parent's oauth_authorized to ensure that the + Flask session (containing OAuth tokens and user authentication) is fully + committed to the session backend (cookie or database) before redirecting + the user to the UI. + + This prevents the race condition where the UI makes API requests before + the session is available, causing temporary 401 errors during login. + + Args: + provider: OAuth provider name (e.g., 'azure', 'google', 'github') + + Returns: + Flask response object (redirect to original URL or home page) + """ + log.debug("OAuth callback received for provider: %s", provider) + + # Call parent's OAuth callback handling + # This processes the OAuth response, authenticates the user, and sets session data + response = super().oauth_authorized(provider) + + # Explicitly commit the Flask session to ensure it's persisted + # This is critical for the race condition fix + session_backend = conf.get("fab", "SESSION_BACKEND", fallback="securecookie") + + if session_backend == "database": + # For database sessions, Flask-Session automatically handles commit + # but we explicitly mark the session as modified to ensure it's saved + session.modified = True + log.debug("Marked session as modified for database backend") + else: + # For securecookie sessions, session is automatically encoded into cookie + # but we still mark it as modified to ensure fresh encoding + session.modified = True + log.debug("Marked session as modified for securecookie backend") + Review Comment: Seems like the branching here is redundant. Is logging the only reason for doing this? If that is the case, I would recommend the following in place of lines 68-77: ``` session.modified = True log.debug ("Marked session as modified for %s backend", session_backend) ``` ########## providers/fab/tests/unit/fab/auth_manager/views/test_auth_oauth.py: ########## @@ -0,0 +1,88 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +from __future__ import annotations + +from unittest import mock + +from airflow.providers.fab.auth_manager.views.auth_oauth import CustomAuthOAuthView + + +class TestCustomAuthOAuthView: + """Test CustomAuthOAuthView.""" + + @mock.patch("airflow.providers.fab.auth_manager.views.auth_oauth.conf") + @mock.patch("airflow.providers.fab.auth_manager.views.auth_oauth.session") + def test_oauth_authorized_marks_session_modified_database_backend(self, mock_session, mock_conf): + """Test that oauth_authorized marks session as modified for database backend.""" + # Setup + mock_conf.get.return_value = "database" + view = CustomAuthOAuthView() + + # Mock parent's oauth_authorized to return a mock response + with mock.patch.object( + view.__class__.__bases__[0], "oauth_authorized", return_value=mock.Mock() + ) as mock_parent: Review Comment: Why not patch `AuthOAuthView` instead of `view.__class__.__bases__[0]`? It would be more explicit and less brittle. ########## providers/fab/tests/unit/fab/auth_manager/views/test_auth_oauth.py: ########## @@ -0,0 +1,88 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +from __future__ import annotations + +from unittest import mock + +from airflow.providers.fab.auth_manager.views.auth_oauth import CustomAuthOAuthView + + +class TestCustomAuthOAuthView: + """Test CustomAuthOAuthView.""" + + @mock.patch("airflow.providers.fab.auth_manager.views.auth_oauth.conf") + @mock.patch("airflow.providers.fab.auth_manager.views.auth_oauth.session") + def test_oauth_authorized_marks_session_modified_database_backend(self, mock_session, mock_conf): + """Test that oauth_authorized marks session as modified for database backend.""" + # Setup + mock_conf.get.return_value = "database" + view = CustomAuthOAuthView() + + # Mock parent's oauth_authorized to return a mock response + with mock.patch.object( + view.__class__.__bases__[0], "oauth_authorized", return_value=mock.Mock() + ) as mock_parent: + # Execute + view.oauth_authorized("test_provider") + + # Verify parent was called + mock_parent.assert_called_once_with("test_provider") + + # Verify session.modified was set to True + assert mock_session.modified is True + + # Verify conf.get was called to check backend type + mock_conf.get.assert_called_once_with("fab", "SESSION_BACKEND", fallback="securecookie") + + @mock.patch("airflow.providers.fab.auth_manager.views.auth_oauth.conf") + @mock.patch("airflow.providers.fab.auth_manager.views.auth_oauth.session") + def test_oauth_authorized_marks_session_modified_securecookie_backend(self, mock_session, mock_conf): + """Test that oauth_authorized marks session as modified for securecookie backend.""" + # Setup + mock_conf.get.return_value = "securecookie" + view = CustomAuthOAuthView() + + # Mock parent's oauth_authorized to return a mock response + with mock.patch.object( + view.__class__.__bases__[0], "oauth_authorized", return_value=mock.Mock() + ) as mock_parent: + # Execute + view.oauth_authorized("azure") + + # Verify parent was called + mock_parent.assert_called_once_with("azure") + + # Verify session.modified was set to True + assert mock_session.modified is True + Review Comment: The 2 tests above can be collapsed into one. ########## providers/fab/src/airflow/providers/fab/auth_manager/views/auth_oauth.py: ########## @@ -0,0 +1,85 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +"""Custom OAuth authentication view to fix session timing race condition.""" + +from __future__ import annotations + +import logging + +from flask import session +from flask_appbuilder.security.views import AuthOAuthView + +from airflow.configuration import conf + +log = logging.getLogger(__name__) + + +class CustomAuthOAuthView(AuthOAuthView): + """ + Custom OAuth authentication view that ensures session is committed before redirect. + + Fixes issue #57981 where UI requests fail with 401 during OAuth flow because + the Flask session is not yet committed when the redirect response is sent. + """ + + def oauth_authorized(self, provider): + """ + OAuth callback handler that explicitly commits session before redirect. + + This method overrides the parent's oauth_authorized to ensure that the + Flask session (containing OAuth tokens and user authentication) is fully + committed to the session backend (cookie or database) before redirecting + the user to the UI. + + This prevents the race condition where the UI makes API requests before + the session is available, causing temporary 401 errors during login. + + Args: + provider: OAuth provider name (e.g., 'azure', 'google', 'github') + + Returns: + Flask response object (redirect to original URL or home page) + """ + log.debug("OAuth callback received for provider: %s", provider) + + # Call parent's OAuth callback handling + # This processes the OAuth response, authenticates the user, and sets session data + response = super().oauth_authorized(provider) + + # Explicitly commit the Flask session to ensure it's persisted + # This is critical for the race condition fix + session_backend = conf.get("fab", "SESSION_BACKEND", fallback="securecookie") + + if session_backend == "database": + # For database sessions, Flask-Session automatically handles commit + # but we explicitly mark the session as modified to ensure it's saved + session.modified = True + log.debug("Marked session as modified for database backend") + else: + # For securecookie sessions, session is automatically encoded into cookie + # but we still mark it as modified to ensure fresh encoding + session.modified = True + log.debug("Marked session as modified for securecookie backend") + + # The session will be saved when this request completes, before the redirect + # response is sent to the client. Flask's session interface handles this + # automatically via the after_request handler + + log.debug("OAuth authentication completed successfully for provider: %s", provider) + Review Comment: Looks like this message will be logged even when when authentication fails. `oauth_authorized` might not always raise in that scenario. Perhaps, this would be more accurate: `log.debug("OAuth callback handling completed for provider: %s", provider)` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
