GayathriSrividya commented on code in PR #67944:
URL: https://github.com/apache/airflow/pull/67944#discussion_r3355039290
##########
airflow-core/src/airflow/api_fastapi/execution_api/app.py:
##########
@@ -141,7 +148,18 @@ async def dispatch(self, request: Request, call_next):
try:
async with svcs.Container(request.app.state.svcs_registry) as
services:
validator: JWTValidator = await services.aget(JWTValidator)
- claims = await validator.avalidated_claims(token, {})
+ try:
+ claims = await validator.avalidated_claims(token, {})
+ except pyjwt.ExpiredSignatureError:
+ # Token may have expired between the auth check and
here
+ # (e.g. token lifetime boundary crossed during request
+ # processing). Re-validate with a short grace period so
+ # the client receives a fresh replacement token and can
+ # retry automatically. The signature and all other
+ # claims are still fully verified.
+ claims = await validator.avalidated_claims(
+ token, {}, extra_leeway=self.REISSUE_GRACE_LEEWAY
+ )
Review Comment:
Fair point on the extra leeway. I agree that part should not be there.
I also understand you review a lot of PRs, so thanks for taking the time to
look at this. I’m closing this one for now rather than keep pushing on a messy
patch.
If I come back to it, I’ll open a smaller PR that only reuses the claims
already validated by JWTBearer, without adding any expiry leeway.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
