jason810496 commented on code in PR #63195:
URL: https://github.com/apache/airflow/pull/63195#discussion_r2909613176
##########
airflow-core/src/airflow/api_fastapi/core_api/routes/ui/auth.py:
##########
@@ -50,3 +58,30 @@ def get_current_user_info(
id=user.get_id(),
username=user.get_name(),
)
+
+
+@auth_router.post("/auth/token")
+def generate_token(
+ body: GenerateTokenBody,
+ user: GetUserDep,
+) -> GenerateTokenResponse:
Review Comment:
> a compromised UI session could silently mint long-lived API tokens (up to
24h) with no trace. Public API mutation endpoints use @action_logging; while UI
routes don't currently use that decorator, minting a JWT that works outside the
browser session is fundamentally different from reading UI data.
Perhaps it is worthwhile to add `@action_logging` to this UI route for
audit logging purposes.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
