Logging out from Web UI still raises Airflow 405 error

[punx120]

Apache Airflow version

2.10.4

If "Other Airflow 2 version" selected, which one?

No response

What happened?

I still have the same error as described in #40470 even though i'm running 2.10.4 with apache-airflow-providers-fab 1.4.0. It's probably linked to some package - but i did ran
pip install "apache-airflow==2.10.4" --constraint "https://raw.githubusercontent.com/apache/airflow/constraints-2.10.4/constraints-3.8.txt"

What you think should happen instead?

logout process needs to complete correctly

How to reproduce

connected as admin and try to logout

Operating System

Fedora 8.3

Versions of Apache Airflow Providers

apache-airflow-providers-fab==1.4.0

Deployment

Official Apache Airflow Helm Chart

Deployment details

No response

Anything else?

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[Spaarsh]

Hey! I would like to work on this issue!

[Spaarsh]

(I have already posted a comment under the referenced issue and am posting the same comment here as well.)

It took me a while to triage this issue. I went through the main-branch code as well as the last released source code of airflow (2.10.4). I think I may have a way of solving this. Please correct me if I am wrong!

Triaging

I thoroughly went through the entirety of the auth-related code (to the best of my ability). There is no wrong method being called. But since the FAB requires us to not allow any GET requests at the /logout API endpoint, the HTML can't be rendered when a user manually enters the URL in the browser point.

Before moving further though, I wanted to ensure that the /logout endpoint does work for POST requests. There is one instance of a JS code sending a POST request to the /logout endpoint via the no_roles_permissions.html, where there is a logout button. In order to test this, I created a user with no roles using the command:

airflow users create \
    --username no_roles_user \
    --firstname No \
    --lastname Roles \
    --email [email protected] \
    --password your_password \
    --role Public

When I then went to the /home page, the expected page showed up:

When I clicked on the "logout" button, I was successfully able to log out, indicating no fault at the endpoint itself.

Solution

Hence my solution is as follows:
We can create a new endpoint such as /logout_page which renders an HTML which has a logout button. The logout button has a JS event handler that sends the POST request to the /logout endpoint, resulting in successful logout using GUI.

This way, the GET request doesn't happen on our /logout endpoint itself (thus not violating any FAB requirements) while also enabling a GUI-based logout action.

If this is the correct approach, I am willing to open a PR.

[shahar1]

@Spaarsh well analyzed, solution seems solid.
Feel free to tag me in your PR for review

[Spaarsh]

@shahar1 Sure! I had a question though. Should I add the logout button on some existing html page? Or provide a hyperlink on some existing page?

[shahar1]

@shahar1 Sure! I had a question though. Should I add the logout button on some existing html page? Or provide a hyperlink on some existing page?

Just try to make it as much as trivial to the user, as logging out should be a simple action. If you encounter any limitations, we could discuss them in the PR.

[Spaarsh]

@punx120 could you please tell us the steps to recreate this error? That will greatly help in fixing it. Thanks!

[punx120]

@punx120 could you please tell us the steps to recreate this error? That will greatly help in fixing it. Thanks!

I simply click on the logout link.

[punx120]

On a fresh install, it works - so it must be a config and/or package conflict - will try to dig into it

[Spaarsh]

Next time the error occurs, inspect the logout button and check the corresponding action that is being taken on clicking it. From what I have discerned, the error should only surface if a GET request is sent at the /logout/ endpoint. Check in the webserver logs as well and check the request being sent. If it is GET, then we may have a lead.

[potiuk]

And take a look also at the providers reported by webserver (in the webserver menu). It could be that your webserver had - for whatever reason - different provider installed - or maybe even different airflow+provider installed when you run it. And it this case the error is on the side of provider installed in the webserver.

[potiuk]

I convert it to a discussion as well - as it's something differnt - the issue seems to be solved but we might still discuss what's the problem you encountered with packages.