Invalidate user session on password reset

providers/src/airflow/providers/fab/auth_manager/cli_commands/utils.py

@@ -27,7 +27,10 @@
 
 import airflow
 from airflow.configuration import conf
+from airflow.exceptions import AirflowConfigException
+from airflow.www.app import isabs, make_url
 from airflow.www.extensions.init_appbuilder import init_appbuilder
+from airflow.www.extensions.init_session import init_airflow_session_interface
 from airflow.www.extensions.init_views import init_plugins
 
 if TYPE_CHECKING:
@@ -39,6 +42,7 @@ def _return_appbuilder(app: Flask) -> AirflowAppBuilder:
     """Return an appbuilder instance for the given app."""
     init_appbuilder(app)
     init_plugins(app)
+    init_airflow_session_interface(app)
     return app.appbuilder  # type: ignore[attr-defined]
 
 
@@ -50,4 +54,12 @@ def get_application_builder() -> Generator[AirflowAppBuilder, None, None]:
     with flask_app.app_context():
         # Enable customizations in webserver_config.py to be applied via Flask.current_app.
         flask_app.config.from_pyfile(webserver_config, silent=True)
+        flask_app.config["SQLALCHEMY_DATABASE_URI"] = conf.get("database", "SQL_ALCHEMY_CONN")
+        url = make_url(flask_app.config["SQLALCHEMY_DATABASE_URI"])
+        if url.drivername == "sqlite" and url.database and not isabs(url.database):
+            raise AirflowConfigException(
+                f'Cannot use relative path: `{conf.get("database", "SQL_ALCHEMY_CONN")}` to connect to sqlite. '
+                "Please use absolute path such as `sqlite:////tmp/airflow.db`."
+            )
+        flask_app.config["SQLALCHEMY_TRACK_MODIFICATIONS"] = False
         yield _return_appbuilder(flask_app)

providers/src/airflow/providers/fab/auth_manager/security_manager/override.py

@@ -572,6 +572,7 @@ def reset_user_sessions(self, user: User) -> None:
                     session_details = interface.serializer.loads(want_bytes(s.data))
                     if session_details.get("_user_id") == user.id:
                         session.delete(s)
+                session.commit()
         else:
             self._cli_safe_flash(
                 "Since you are using `securecookie` session backend mechanism, we cannot prevent "