use outermost proxied entry when checking for browser protocol

wee care about what the browser sees, so trust the outermost entry instead of the innermost This is not secure _in general_, in that these values can be spoofed by malicious proxies, but for CORS and cookie purposes, we only care about what the browser sees, however many hops there may be. A malicious proxy in the chain here isn't a concern because what matters is the immediate hop from the _browser_, not the immediate hop from the _server_.
2025-10-07 10:04:07 +00:00 · 2022-01-07 14:03:11 +01:00
parent a2ba55756d
commit ccfee4d235
7 changed files with 119 additions and 13 deletions
--- a/jupyterhub/services/auth.py
+++ b/jupyterhub/services/auth.py
@@ -53,6 +53,7 @@ from traitlets import validate
 from traitlets.config import SingletonConfigurable

 from ..scopes import _intersect_expanded_scopes
+from ..utils import get_browser_protocol
 from ..utils import url_path_join


@@ -772,7 +773,7 @@ class HubOAuth(HubAuth):
            # OAuth that doesn't complete shouldn't linger too long.
            'max_age': 600,
        }
-        if handler.request.protocol == 'https':
+        if get_browser_protocol(handler.request) == 'https':
            kwargs['secure'] = True
        # load user cookie overrides
        kwargs.update(self.cookie_options)
@@ -812,7 +813,7 @@ class HubOAuth(HubAuth):
    def set_cookie(self, handler, access_token):
        """Set a cookie recording OAuth result"""
        kwargs = {'path': self.base_url, 'httponly': True}
-        if handler.request.protocol == 'https':
+        if get_browser_protocol(handler.request) == 'https':
            kwargs['secure'] = True
        # load user cookie overrides
        kwargs.update(self.cookie_options)