Fix redirect loop when stale root-path _token cookie exists from older Airflow instance

[wolfdn]

Problem Description

This PR fixes a bug that was introduced by this PR: #62771

When multiple Airflow instances are hosted on the same domain under different subpaths
(e.g. /team-a/airflow/, /team-b/airflow/), users who previously visited an older
Airflow instance end up in an infinite redirect loop on the newer instance.

The older instance sets the _token cookie at Path=/. The newer instance scopes its
cookie to the subpath (e.g. Path=/team-a/airflow/). When the browser sends both cookies,
the JWTRefreshMiddleware detects the stale root-path token as invalid and clears it —
but only at the subpath. The root-path cookie is never removed, so it keeps being sent on
every subsequent request:

GET /team-a/airflow/  (with stale _token at Path=/)
  → middleware rejects token, deletes cookie for Path=/team-a/airflow/
  → 307 redirect to login
GET /team-a/airflow/auth/login  (root _token still present)
  → middleware rejects token again, deletes cookie for Path=/team-a/airflow/
  → 302 redirect to /team-a/airflow/auth/
  → ...infinite loop

Solution

When the middleware or the logout endpoint clears the _token cookie and the configured
cookie path is not /, also delete the cookie at Path=/. This removes the stale
root-path cookie on the very first failed validation, breaking the loop immediately.

Changes

• airflow-core/src/airflow/api_fastapi/auth/middlewares/refresh_token.py -
  When invalidating an expired/invalid token, also delete_cookie at Path=/
• airflow-core/src/airflow/api_fastapi/core_api/routes/public/auth.py -
  On logout, also delete_cookie at Path=/

---

Was generative AI tooling used to co-author this PR?

• Yes (please specify the tool below)
  GitHub Copilot - Claude Opus 4.6

---

• Read the Pull Request Guidelines for more information. Note: commit author/co-author name and email in commits become permanently public when merged.
• For fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
• When adding dependency, check compliance with the ASF 3rd Party License Policy.
• For significant user-facing changes create newsfragment: {pr_number}.significant.rst, in airflow-core/newsfragments. You can add this file in a follow-up commit after the PR is created so you know the PR number.

[jscheffl]

Thanks for the fix!