[PR] Enforce ti:self scope on /execution/task-reschedules/{ti}/start_date [airflow]

Wed, 27 May 2026 16:06:47 -0700 


potiuk opened a new pull request, #67628:
URL: https://github.com/apache/airflow/pull/67628

   Three sibling per-task-instance routers under 
`airflow.api_fastapi.execution_api.routes` opt into the `ti:self` JWT scope, 
which "verifies that the token's sub claim matches the {task_instance_id} path 
parameter, preventing a worker from accessing another task's endpoints" (per 
`security/jwt_token_authentication.html`): `task_instances.py`, `hitl.py`, and 
`task_state.py`. The `task_reschedules.py` router for `GET 
/execution/task-reschedules/{task_instance_id}/start_date` was missing that 
scope, so any authenticated worker could read the first reschedule timestamp of 
any task instance in the deployment by passing that task instance's UUID in the 
URL path.
   
   This change adds the standard `dependencies=[Security(require_auth, 
scopes=["ti:self"])]` to the router declaration — the same pattern the three 
sibling routers already use. One new regression test under 
`TestGetRescheduleStartDate` exercises the mismatched-subject path and asserts 
403.
   
   Reference: airflow-s/airflow-s#406
   
   ## Test plan
   
   - [x] New regression test `test_mismatched_subject_is_rejected` asserts a 
mismatched JWT subject is rejected with 403 on the concrete route.
   - [x] Existing `TestGetRescheduleStartDate` tests still pass (the conftest 
`client` fixture auto-matches the JWT subject to the path parameter, so 
happy-path tests are unaffected).
   - [x] `prek run --from-ref main --to-ref HEAD --stage pre-commit` clean on 
touched files.
   - [x] `prek run --from-ref main --to-ref HEAD --stage manual` clean on 
touched files.
   
   ##### Was generative AI tooling used to co-author this PR?
   
   - [X] Yes — Claude Opus 4.7 (1M context)
   
   Generated-by: Claude Opus 4.7 (1M context) following the guidelines at 
https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to