avoid cycle on current_user in _set_xsrf_cookie

pass authenticated explicitly

jupyterhub/_xsrf_utils.py

@@ -104,13 +104,20 @@ def _get_xsrf_token_cookie(handler):
     return (None, None)
 
 
-def _set_xsrf_cookie(handler, xsrf_id, cookie_path=""):
+def _set_xsrf_cookie(handler, xsrf_id, *, cookie_path="", authenticated=None):
     """Set xsrf token cookie"""
     xsrf_token = _create_signed_value_urlsafe(handler, "_xsrf", xsrf_id)
     xsrf_cookie_kwargs = {}
     xsrf_cookie_kwargs.update(handler.settings.get('xsrf_cookie_kwargs', {}))
     xsrf_cookie_kwargs.setdefault("path", cookie_path)
-    if not handler.current_user:
+    if authenticated is None:
+        try:
+            current_user = handler.current_user
+        except Exception:
+            authenticated = False
+        else:
+            authenticated = bool(current_user)
+    if not authenticated:
         # limit anonymous xsrf cookies to one hour
         xsrf_cookie_kwargs.pop("expires", None)
         xsrf_cookie_kwargs.pop("expires_days", None)
@@ -166,7 +173,7 @@ def get_xsrf_token(handler, cookie_path=""):
             )
 
     if _set_cookie:
-        _set_xsrf_cookie(handler, xsrf_id, cookie_path)
+        _set_xsrf_cookie(handler, xsrf_id, cookie_path=cookie_path)
     handler._xsrf_token = xsrf_token
     return xsrf_token
 

jupyterhub/handlers/base.py

@@ -738,7 +738,9 @@ class BaseHandler(RequestHandler):
         # make sure xsrf cookie is updated
         # this avoids needing a second request to set the right xsrf cookie
         self._jupyterhub_user = user
-        _set_xsrf_cookie(self, self._xsrf_token_id, cookie_path=self.hub.base_url)
+        _set_xsrf_cookie(
+            self, self._xsrf_token_id, cookie_path=self.hub.base_url, authenticated=True
+        )
 
     def authenticate(self, data):
         return maybe_future(self.authenticator.get_authenticated_user(self, data))

jupyterhub/services/auth.py

@@ -45,6 +45,7 @@ from tornado.httpclient import AsyncHTTPClient, HTTPRequest
 from tornado.httputil import url_concat
 from tornado.log import app_log
 from tornado.web import HTTPError, RequestHandler
+from tornado.websocket import WebSocketHandler
 from traitlets import (
     Any,
     Bool,
@@ -805,6 +806,10 @@ class HubAuth(SingletonConfigurable):
         if not hasattr(self, 'set_cookie'):
             # only HubOAuth can persist cookies
             return
+        fetch_mode = handler.request.headers.get("Sec-Fetch-Mode", "navigate")
+        if isinstance(handler, WebSocketHandler) or fetch_mode != "navigate":
+            # don't do this on websockets or non-navigate requests
+            return
         self.log.info(
             "Storing token from url in cookie for %s",
             handler.request.remote_ip,
@@ -1197,7 +1202,12 @@ class HubOAuth(HubAuth):
         # set updated xsrf token cookie,
         # which changes after login
         handler._hub_auth_token_cookie = access_token
-        _set_xsrf_cookie(handler, handler._xsrf_token_id, cookie_path=self.base_url)
+        _set_xsrf_cookie(
+            handler,
+            handler._xsrf_token_id,
+            cookie_path=self.base_url,
+            authenticated=True,
+        )
 
     def clear_cookie(self, handler):
         """Clear the OAuth cookie"""