Merge pull request #3679 from minrk/forward-1.5

Forward-port fixes from 1.5.0 security release
2025-10-11 03:52:59 +00:00 · 2021-11-04 15:30:04 +01:00
parent f06902aa8f 3e185022c8
commit d076c55cca
3 changed files with 51 additions and 3 deletions
--- a/docs/source/changelog.md
+++ b/docs/source/changelog.md
--- a/jupyterhub/services/auth.py
+++ b/jupyterhub/services/auth.py
@@ -1023,8 +1023,8 @@ class HubAuthenticated:
            self._hub_auth_user_cache = None
            raise
-        # store tokens passed via url or header in a cookie for future requests
+        # store ?token=... tokens passed via url in a cookie for future requests
-        url_token = self.hub_auth.get_token(self)
+        url_token = self.get_argument('token', '')
        if (
            user_model
            and url_token
--- a/jupyterhub/singleuser/mixins.py
+++ b/jupyterhub/singleuser/mixins.py
@@ -715,6 +715,18 @@ class SingleUserNotebookAppMixin(Configurable):
        orig_loader = env.loader
        env.loader = ChoiceLoader([FunctionLoader(get_page), orig_loader])
    def load_server_extensions(self):
        # Loading LabApp sets $JUPYTERHUB_API_TOKEN on load, which is incorrect
        r = super().load_server_extensions()
        # clear the token in PageConfig at this step
        # so that cookie auth is used
        # FIXME: in the future,
        # it would probably make sense to set page_config.token to the token
        # from the current request.
        if 'page_config_data' in self.web_app.settings:
            self.web_app.settings['page_config_data']['token'] = ''
        return r
 def detect_base_package(App):
    """Detect the base package for an App class