Avoid logging Execution API bearer credentials#67059
Conversation
There was a problem hiding this comment.
Thank you for your contribution.
I believe new fragment is for changelogs and I don't think we need it here, right, @jscheffl?
There was a problem hiding this comment.
Yes, please NO newsfragments for bug fixes. This is for IMPORTANT announcements in releases ONLY.
There was a problem hiding this comment.
Please revert or remove the fragment
There was a problem hiding this comment.
Thank you for your comments. I removed the fragment.
| except Exception as err: | ||
| log.warning("Failed to validate JWT", exc_info=True, token=creds.credentials) | ||
| log.warning("Failed to validate JWT", exc_info=True) | ||
| raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=f"Invalid auth token: {err}") |
There was a problem hiding this comment.
Would it make sense for these details to return something more generic? Without the err variable?
There was a problem hiding this comment.
Thanks, that makes sense. I updated the client-facing detail to use a generic Invalid auth token message and kept the detailed exception available only through the server-side log via exc_info=True.
There was a problem hiding this comment.
Please revert or remove the fragment
3 participants
Avoid passing the supplied Execution API Bearer credential into the JWT validation failure log event.
This is a small defense-in-depth hardening change. The warning message, exception info, and HTTP 403 behavior are preserved; the raw credential is no longer attached as a structured
tokenfield.Tests:
breeze run ruff format airflow-core/src/airflow/api_fastapi/execution_api/security.py airflow-core/tests/unit/api_fastapi/execution_api/test_security.pybreeze run ruff check --fix airflow-core/src/airflow/api_fastapi/execution_api/security.py airflow-core/tests/unit/api_fastapi/execution_api/test_security.pybreeze run pytest airflow-core/tests/unit/api_fastapi/execution_api/test_security.py::TestJWTBearerLogging -xvsWas generative AI tooling used to co-author this PR?
Generated-by: Codex (GPT-5) following the guidelines