From d2a07aaf1be10e156395d09d2e5eb8ca8f080f20 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Wed, 20 Mar 2024 13:21:34 +0100
Subject: [PATCH] forward-port 4.1.0

---
 docs/source/conf.py                    |  2 ++
 jupyterhub/services/auth.py            |  1 +
 jupyterhub/tests/test_services_auth.py | 44 +++++---------------------
 jupyterhub/tests/test_singleuser.py    |  2 +-
 4 files changed, 12 insertions(+), 37 deletions(-)

diff --git a/docs/source/conf.py b/docs/source/conf.py
index 7f80b823..213b32e6 100644
--- a/docs/source/conf.py
+++ b/docs/source/conf.py
@@ -289,6 +289,8 @@ linkcheck_ignore = [
     "https://github.com/jupyterhub/jupyterhub/compare/",  # too many comparisons in changelog
     r"https?://(localhost|127.0.0.1).*",  # ignore localhost references in auto-links
     r"https://linux.die.net/.*",  # linux.die.net seems to block requests from CI with 403 sometimes
+    # don't check links to unpublished advisories
+    r"https://github.com/jupyterhub/jupyterhub/security/advisories/.*",
 ]
 linkcheck_anchors_ignore = [
     "/#!",
diff --git a/jupyterhub/services/auth.py b/jupyterhub/services/auth.py
index 2f6566bb..b270f3b2 100644
--- a/jupyterhub/services/auth.py
+++ b/jupyterhub/services/auth.py
@@ -1203,6 +1203,7 @@ class HubOAuth(HubAuth):
         for cookie_name, cookie in handler.request.cookies.items():
             if cookie_name.startswith(self.state_cookie_name):
                 self._clear_cookie(
+                    handler,
                     cookie_name,
                     path=self.cookie_path,
                 )
diff --git a/jupyterhub/tests/test_services_auth.py b/jupyterhub/tests/test_services_auth.py
index ca836971..e5aa3349 100644
--- a/jupyterhub/tests/test_services_auth.py
+++ b/jupyterhub/tests/test_services_auth.py
@@ -86,17 +86,9 @@ async def test_hubauth_token(app, mockservice_url, create_user_with_scopes):
     sub_reply = {key: reply.get(key, 'missing') for key in ['name', 'admin']}
     assert sub_reply == {'name': u.name, 'admin': False}
 
-    # token in ?token parameter
+    # token in ?token parameter is not allowed by default
     r = await async_requests.get(
-        public_url(app, mockservice_url) + '/whoami/?token=%s' % token
-    )
-    r.raise_for_status()
-    reply = r.json()
-    sub_reply = {key: reply.get(key, 'missing') for key in ['name', 'admin']}
-    assert sub_reply == {'name': u.name, 'admin': False}
-
-    r = await async_requests.get(
-        public_url(app, mockservice_url) + '/whoami/?token=no-such-token',
+        public_url(app, mockservice_url) + '/whoami/?token=%s' % token,
         allow_redirects=False,
     )
     assert r.status_code == 302
@@ -180,21 +172,9 @@ async def test_hubauth_service_token(request, app, mockservice_url, scopes, allo
     else:
         assert r.status_code == 403
 
-    # token in ?token parameter
+    # token in ?token parameter is not allowed by default
     r = await async_requests.get(
-        public_url(app, mockservice_url) + 'whoami/?token=%s' % token
-    )
-    if allowed:
-        r.raise_for_status()
-        assert r.status_code == 200
-        reply = r.json()
-        assert service_model.items() <= reply.items()
-        assert not r.cookies
-    else:
-        assert r.status_code == 403
-
-    r = await async_requests.get(
-        public_url(app, mockservice_url) + 'whoami/?token=no-such-token',
+        public_url(app, mockservice_url) + 'whoami/?token=%s' % token,
         allow_redirects=False,
     )
     assert r.status_code == 302
@@ -385,22 +365,14 @@ async def test_oauth_service_roles(
 
     # token-authenticated request to HubOAuth
     token = app.users[name].new_api_token()
-    # token in ?token parameter
-    r = await async_requests.get(url_concat(url, {'token': token}), headers=s.headers)
+    s.headers["Authorization"] = f"Bearer {token}"
+    r = await async_requests.get(url, headers=s.headers)
     r.raise_for_status()
     reply = r.json()
     assert reply['name'] == name
 
-    # verify that ?token= requests set a cookie
-    assert len(r.cookies) != 0
-    # ensure cookie works in future requests
-    r = await async_requests.get(
-        url, cookies=r.cookies, allow_redirects=False, headers=s.headers
-    )
-    r.raise_for_status()
-    assert r.url == url
-    reply = r.json()
-    assert reply['name'] == name
+    # tokens in headers don't set cookies
+    assert len(r.cookies) == 0
 
 
 @pytest.mark.parametrize(
diff --git a/jupyterhub/tests/test_singleuser.py b/jupyterhub/tests/test_singleuser.py
index 938fcbb6..f5b16763 100644
--- a/jupyterhub/tests/test_singleuser.py
+++ b/jupyterhub/tests/test_singleuser.py
@@ -394,7 +394,7 @@ async def test_nbclassic_control_panel(app, user, full_spawn):
 async def test_token_url_cookie(app, user, full_spawn, accept_token_in_url):
     if accept_token_in_url:
         user.spawner.environment["JUPYTERHUB_ALLOW_TOKEN_IN_URL"] = accept_token_in_url
-    should_accept = accept_token_in_url != "0"
+    should_accept = accept_token_in_url == "1"
 
     await user.spawn()
     await app.proxy.add_user(user)