Skip to content

AIP-38 Fix safari login loop for non ssl #47859

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pierrejeambrun merged 1 commit into from
Mar 17, 2025
Merged

AIP-38 Fix safari login loop for non ssl #47859

pierrejeambrun merged 1 commit into from
Mar 17, 2025

Conversation

@pierrejeambrun
Copy link
Member

@pierrejeambrun pierrejeambrun commented Mar 17, 2025
edited
Loading

Safari has a stricter policy when it comes to secure cookies. I will not allow localhost to use such cookies (https is always required), which is not the case for other browser.

This will at least fix the case for the development mode. i.e safari will work in --dev-mode in breeze or by specifying the env variable and running the api_server.

It will still not work in non dev-mode via breeze though.

There is no issue for real development mode as long as people are using https to connect to their instance.

@pierrejeambrun pierrejeambrun self-assigned this Mar 17, 2025
@ashb
Copy link
Member

ashb commented Mar 17, 2025

Does this mean that deployments must be using https as well?

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 17, 2025
View reviewed changes
@pierrejeambrun
Copy link
Member Author

pierrejeambrun commented Mar 17, 2025
edited
Loading

If deployment do not use https safari will block such secure cookies and indeed this will not work.

Is that a popular use case ? Do we need to support safari for that ?

@pierrejeambrun
Copy link
Member Author

pierrejeambrun commented Mar 17, 2025
edited
Loading

Maybe only enable the secure attribute when there is api.ssl_cert in the conf ? Actually that's a better idea I think, let me update that

@pierrejeambrun pierrejeambrun force-pushed the aip-38-fix-safari-login-loop-dev-mode branch from f80a6dc to ec208e6 Compare March 17, 2025 13:05
@pierrejeambrun pierrejeambrun changed the title AIP-38 Fix safari login loop in dev mode AIP-38 Fix safari login loop for non ssl Mar 17, 2025
@ashb
Copy link
Member

ashb commented Mar 17, 2025
edited
Loading

Maybe only enable the secure attribute when there is api.ssl_cert in the conf ? Actually that's a better idea I think, let me update that

That alone isn't enough -- it is much more common to use some kind of proxy in front to handle the TLS termination (ALB, Nginx, Kubernetes Ingress etc.) so we'll have to look at something else (at least as well)

Well, this "fails working" which is the right thing we want for now, so lets go ahead and merge this for now, but probably create an issue to come back and revisit this with reverse proxies in mind.

@pierrejeambrun pierrejeambrun mentioned this pull request Mar 17, 2025
Open
@ashb
Copy link
Member

ashb commented Mar 17, 2025
edited
Loading

It's possible we can look at the request.secure or something. We have this in our config

    proxy_fix_x_proto:
      description: |
        Number of values to trust for ``X-Forwarded-Proto``.
        See `Werkzeug: X-Forwarded-For Proxy Fix
        <https://werkzeug.palletsprojects.com/en/2.3.x/middleware/proxy_fix/>`__ for more details.
      version_added: 1.10.7
      type: integer
      example: ~
      default: "1"

Which in turn is available as request.is_secure

ashb
ashb reviewed Mar 17, 2025
View reviewed changes
@pierrejeambrun pierrejeambrun force-pushed the aip-38-fix-safari-login-loop-dev-mode branch from ec208e6 to fcfb934 Compare March 17, 2025 15:55
@pierrejeambrun pierrejeambrun force-pushed the aip-38-fix-safari-login-loop-dev-mode branch from fcfb934 to ee28852 Compare March 17, 2025 16:03
@pierrejeambrun pierrejeambrun merged commit bf25c37 into apache:main Mar 17, 2025
60 checks passed
@pierrejeambrun pierrejeambrun deleted the aip-38-fix-safari-login-loop-dev-mode branch March 17, 2025 17:54
@pierrejeambrun pierrejeambrun mentioned this pull request Mar 17, 2025
Open
@pierrejeambrun
Copy link
Member Author

pierrejeambrun commented Mar 17, 2025
edited
Loading

Issue here #47878, I marked it for 3.0 bugfix for now, we can take a look after the feature freeze

agupta01 pushed a commit to agupta01/airflow that referenced this pull request Mar 21, 2025
@pierrejeambrun @agupta01
AIP-38 Fix safari login loop in dev mode (apache#47859)
0b322c0
@pierrejeambrun pierrejeambrun mentioned this pull request Mar 27, 2025
Merged
nailo2c pushed a commit to nailo2c/airflow that referenced this pull request Apr 4, 2025
@pierrejeambrun @nailo2c
AIP-38 Fix safari login loop in dev mode (apache#47859)
c0493e7
This was referenced Apr 6, 2025
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ashb ashb ashb approved these changes

@vincbeck vincbeck vincbeck approved these changes

@amoghrajesh amoghrajesh Awaiting requested review from amoghrajesh

@bbovenzi bbovenzi Awaiting requested review from bbovenzi

Assignees

@pierrejeambrun pierrejeambrun

Labels

area:providers provider:fab

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pierrejeambrun @ashb @vincbeck