hazza/jupyterhub
1
0
Fork 0
mirror of https://github.com/jupyterhub/jupyterhub.git synced 2025-10-17 23:13:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

ensure oauth tokens with no client id aren’t accepted

Browse Source 
these should have been deleted by deleting oauth clients
This commit is contained in:
Min RK
2018-04-13 21:27:09 +02:00
parent c49fc14528
commit bc75c71ca3
2 changed files with 13 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
jupyterhub/apihandlers/auth.py
View File

@@ -22,6 +22,11 @@ class TokenAPIHandler(APIHandler):
orm_token = orm.APIToken.find(self.db, token) orm_token = orm.APIToken.find(self.db, token)
if orm_token is None: if orm_token is None:
orm_token = orm.OAuthAccessToken.find(self.db, token) orm_token = orm.OAuthAccessToken.find(self.db, token)
if orm_token and not orm_token.client_id:
self.log.warning("Deleting stale oauth token for %s", orm_token.user)
self.db.delete(orm_token)
self.db.commit()
orm_token = None
if orm_token is None: if orm_token is None:
raise web.HTTPError(404) raise web.HTTPError(404)

12
jupyterhub/handlers/base.py
View File

@@ -195,11 +195,15 @@ class BaseHandler(RequestHandler):
orm_token = orm.OAuthAccessToken.find(self.db, token) orm_token = orm.OAuthAccessToken.find(self.db, token)
if orm_token is None: if orm_token is None:
return None return None
else: if orm_token and not orm_token.client_id:
orm_token.last_activity = \ self.log.warning("Deleting stale oauth token for %s", orm_token.user)
orm_token.user.last_activity = datetime.utcnow() self.db.delete(orm_token)
self.db.commit() self.db.commit()
return self._user_from_orm(orm_token.user) return None
orm_token.last_activity = \
orm_token.user.last_activity = datetime.utcnow()
self.db.commit()
return self._user_from_orm(orm_token.user)
def get_current_user_token(self): def get_current_user_token(self):
"""get_current_user from Authorization header token""" """get_current_user from Authorization header token"""