CVE-2022-41672: Apache Airflow: Session still funtional after user is deactivated

[Jedidiah Cunningham <jedcunningham () apache org>]

Description:

In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from 
being able to continue using the UI or API.

Credit:

The Apache Airflow PMC would like to thank Axel Chong (@Haxatron) for reporting this issue.

References:

https://github.com/apache/airflow/pull/26635