Merge pull request #3679 from minrk/forward-1.5

Forward-port fixes from 1.5.0 security release
2025-10-10 03:23:04 +00:00 · 2021-11-04 15:30:04 +01:00
parent f06902aa8f 3e185022c8
commit d076c55cca
3 changed files with 51 additions and 3 deletions
--- a/docs/source/changelog.md
+++ b/docs/source/changelog.md
--- a/jupyterhub/services/auth.py
+++ b/jupyterhub/services/auth.py
@@ -1023,8 +1023,8 @@ class HubAuthenticated:
            self._hub_auth_user_cache = None
            raise

-        # store tokens passed via url or header in a cookie for future requests
-        url_token = self.hub_auth.get_token(self)
+        # store ?token=... tokens passed via url in a cookie for future requests
+        url_token = self.get_argument('token', '')
        if (
            user_model
            and url_token
--- a/jupyterhub/singleuser/mixins.py
+++ b/jupyterhub/singleuser/mixins.py
@@ -715,6 +715,18 @@ class SingleUserNotebookAppMixin(Configurable):
        orig_loader = env.loader
        env.loader = ChoiceLoader([FunctionLoader(get_page), orig_loader])

+    def load_server_extensions(self):
+        # Loading LabApp sets $JUPYTERHUB_API_TOKEN on load, which is incorrect
+        r = super().load_server_extensions()
+        # clear the token in PageConfig at this step
+        # so that cookie auth is used
+        # FIXME: in the future,
+        # it would probably make sense to set page_config.token to the token
+        # from the current request.
+        if 'page_config_data' in self.web_app.settings:
+            self.web_app.settings['page_config_data']['token'] = ''
+        return r
+

 def detect_base_package(App):
    """Detect the base package for an App class