Skip to content

Fix AUTH_ROLE_PUBLIC returning 401 in FastAPI API server#69773

Open
lyric2249 wants to merge 3 commits into
apache:mainfrom
lyric2249:fix-fab-auth-role-public-401
Open

Fix AUTH_ROLE_PUBLIC returning 401 in FastAPI API server#69773
lyric2249 wants to merge 3 commits into
apache:mainfrom
lyric2249:fix-fab-auth-role-public-401

Conversation

@lyric2249

Copy link
Copy Markdown

FabAuthRolePublicMiddleware (added in #65685) sets request.state.user for anonymous requests when AUTH_ROLE_PUBLIC / [fab] auth_role_public is configured, but never sets request.state.user_authenticated_via. Core's get_user() dependency requires both attributes before it will trust a pre-set user and skip JWT validation, so anonymous requests still fall through to JWT validation and get rejected with 401 even though the public role is configured correctly.

This sets the same trust marker JWTRefreshMiddleware already sets, so both middlewares satisfy the same contract that get_user() checks.

The existing test_sets_public_user_when_no_auth_present test already exercises this exact code path, so it is extended with one assertion for the new attribute rather than adding a separate test; no existing assertions were changed or removed.

related: #60897


Was generative AI tooling used to co-author this PR?
  • Yes — Claude Code (Sonnet 5)

Generated-by: Claude Code (Sonnet 5) following the guidelines

FabAuthRolePublicMiddleware only sets request.state.user for
anonymous requests. Core's get_user() dependency also checks
request.state.user_authenticated_via for the trusted-middleware
sentinel before skipping JWT validation, so every anonymous request
falls through to JWT validation, has no token, and is rejected with
401 regardless of AUTH_ROLE_PUBLIC (or [fab] auth_role_public) being
configured correctly.

Set the same trust marker JWTRefreshMiddleware already sets when it
pre-authenticates a request, so both middlewares honor the same
contract.
@boring-cyborg

boring-cyborg Bot commented Jul 12, 2026

Copy link
Copy Markdown

Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contributors' Guide
Here are some useful points:

  • Pay attention to the quality of your code (ruff, mypy and type annotations). Our prek-hooks will help you with that.
  • In case of a new feature add useful documentation (in docstrings or in docs/ directory). Adding a new operator? Check this short guide Consider adding an example Dag that shows how users should use it.
  • Consider using Breeze environment for testing locally, it's a heavy docker but it ships with a working Airflow and a lot of integrations.
  • Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
  • Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
  • Be sure to read the Airflow Coding style.
  • Always keep your Pull Requests rebased, otherwise your build might fail due to changes not related to your commits.
    Apache Airflow is a community-driven project and together we are making it better 🚀.
    In case of doubts contact the developers at:
    Mailing List: dev@airflow.apache.org
    Slack: https://s.apache.org/airflow-slack

@lyric2249 lyric2249 closed this Jul 12, 2026
The FAB provider supports Airflow 3.0.2 and later, while
USER_INJECTED_BY_TRUSTED_MIDDLEWARE is only available in newer core
releases. Importing it unconditionally prevents the provider from loading
and causes test collection to fail against supported versions such as
Airflow 3.0.6.

Preserve trusted middleware authentication on newer core versions without
requiring older supported versions to expose the marker.
r Airflow versions
@lyric2249 lyric2249 reopened this Jul 12, 2026

@SameerMesiah97 SameerMesiah97 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have left a comment.

if public_user is not None:
request.state.user = public_user

if _USER_INJECTED_BY_TRUSTED_MIDDLEWARE is not None:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see the need for the _USER_INJECTED_BY_TRUSTED_MIDDLEWARE if it is only being used once. It would be better to in-line it like this:

user_injected = getattr(
    core_api_security,
    "USER_INJECTED_BY_TRUSTED_MIDDLEWARE",
    None,
)
if user_injected is not None:
    request.state.user_authenticated_via = user_injected

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants