better errors when cookie auth check fails

treat it as an error, rather than failed login when the server can't even make the request to the upstream server to check the cookie, it is turned into various 500 errors, as appropriate avoid raising the error more than once per get_user call, since get_user is called during template rendering of the error page
2025-10-18 15:33:02 +00:00 · 2015-01-09 15:02:22 -08:00
parent 7268c079bb
commit f994ecdacb
1 changed files with 17 additions and 2 deletions
--- a/jupyterhub/singleuser.py
+++ b/jupyterhub/singleuser.py
@@ -9,6 +9,7 @@ import os
 import requests

 from tornado import ioloop
+from tornado.web import HTTPError

 from IPython.utils.traitlets import Unicode

@@ -35,7 +36,7 @@ class JupyterHubLoginHandler(LoginHandler):
    
    @staticmethod
    def verify_token(self, cookie_name, encrypted_cookie):
-        """monkeypatch method for token verification"""
+        """method for token verification"""
        cookie_cache = self.settings['cookie_cache']
        if encrypted_cookie in cookie_cache:
            # we've seen this token before, don't ask upstream again
@@ -51,9 +52,15 @@ class JupyterHubLoginHandler(LoginHandler):
        )
        if r.status_code == 404:
            data = {'user' : ''}
+        if r.status_code == 403:
+            self.log.error("I don't have permission to verify cookies, my auth token may have expired: [%i] %s", r.status_code, r.reason)
+            raise HTTPError(500, "Permission failure checking authorization, I may need to be restarted")
+        elif r.status_code >= 500:
+            self.log.error("Upstream failure verifying auth token: [%i] %s", r.status_code, r.reason)
+            raise HTTPError(502, "Failed to check authorization (upstream problem)")
        elif r.status_code >= 400:
            self.log.warn("Failed to check authorization: [%i] %s", r.status_code, r.reason)
-            data = None
+            raise HTTPError(500, "Failed to check authorization")
        else:
            data = r.json()
        cookie_cache[encrypted_cookie] = data
@@ -62,6 +69,13 @@ class JupyterHubLoginHandler(LoginHandler):
    @staticmethod
    def get_user(self):
        """alternative get_current_user to query the central server"""
+        # only allow this to be called once per handler
+        # avoids issues if an error is raised,
+        # since this may be called again when trying to render the error page
+        if hasattr(self, '_cached_user'):
+            return self._cached_user
+        
+        self._cached_user = None
        my_user = self.settings['user']
        encrypted_cookie = self.get_cookie(self.cookie_name)
        if encrypted_cookie:
@@ -71,6 +85,7 @@ class JupyterHubLoginHandler(LoginHandler):
                return None
            user = auth_data['user']
            if user == my_user:
+                self._cached_user = user
                return user
            else:
                return None