Hey! I would like to work on this issue!

(I have already posted a comment under the referenced issue and am posting the same comment here as well.)

It took me a while to triage this issue. I went through the main-branch code as well as the last released source code of airflow (2.10.4). I think I may have a way of solving this. Please correct me if I am wrong!

Triaging

I thoroughly went through the entirety of the auth-related code (to the best of my ability). There is no wrong method being called. But since the FAB requires us to not allow any GET requests at the /logout API endpoint, the HTML can't be rendered when a user manually enters the URL in the browser point.

Before moving further though, I wanted to ensure that the /logout endpoint does work for POST requests. There is one instance of a JS code sending a POST request to the /logout endpoint via the no_roles_permissions.html, where there is a logout button. In order to test this, I created a user with no roles using the command:

airflow users create \
    --username no_roles_user \
    --firstname No \
    --lastname Roles \
    --email [email protected] \
    --password your_password \
    --role Public

When I then went to the /home page, the expected page showed up:

When I clicked on the "logout" button, I was successfully able to log out, indicating no fault at the endpoint itself.

Solution

Hence my solution is as follows:
We can create a new endpoint such as /logout_page which renders an HTML which has a logout button. The logout button has a JS event handler that sends the POST request to the /logout endpoint, resulting in successful logout using GUI.

This way, the GET request doesn't happen on our /logout endpoint itself (thus not violating any FAB requirements) while also enabling a GUI-based logout action.

If this is the correct approach, I am willing to open a PR.

@Spaarsh well analyzed, solution seems solid.
Feel free to tag me in your PR for review

@shahar1 Sure! I had a question though. Should I add the logout button on some existing html page? Or provide a hyperlink on some existing page?

@shahar1 Sure! I had a question though. Should I add the logout button on some existing html page? Or provide a hyperlink on some existing page?

Just try to make it as much as trivial to the user, as logging out should be a simple action. If you encounter any limitations, we could discuss them in the PR.

@punx120 could you please tell us the steps to recreate this error? That will greatly help in fixing it. Thanks!