Merge pull request #3538 from consideRatio/pr/release-1.4.2

Release 1.4.2
release 1.4.2
2025-10-10 19:43:01 +00:00 · 2021-07-16 10:57:54 +00:00 · 2021-07-15 16:57:54 +02:00 · 2021-07-15 16:57:52 +02:00 · 2021-07-15 10:16:18 +02:00 · 2021-07-15 10:16:16 +02:00
355 changed files with 9637 additions and 39144 deletions
--- a/.flake8
+++ b/.flake8
@@ -3,9 +3,14 @@
 # E: style errors
 # W: style warnings
 # C: complexity
-# D: docstring warnings (unused pydocstyle extension)
+# F401: module imported but unused
 # F403: import *
 # F811: redefinition of unused `name` from line `N`
 # F841: local variable assigned but never used
-ignore = E, C, W, D, F841
+# E402: module level import not at top of file
 # I100: Import statements are in the wrong order
 # I101: Imported names are in the wrong order. Should be
 ignore = E, C, W, F401, F403, F811, F841, E402, I100, I101, D400
 builtins = c, get_config
 exclude =
    .cache,
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@@ -1,16 +0,0 @@
 # dependabot.yaml reference: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
 #
 # Notes:
 # - Status and logs from dependabot are provided at
 #   https://github.com/jupyterhub/jupyterhub/network/updates.
 #
 version: 2
 updates:
  # Maintain dependencies in our GitHub Workflows
  - package-ecosystem: github-actions
    directory: /
    labels: [ci]
    schedule:
      interval: monthly
      time: "05:00"
      timezone: Etc/UTC
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,49 +1,27 @@
-# This is a GitHub workflow defining a set of jobs with a set of steps.
+# Build releases and (on tags) publish to PyPI
 # ref: https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions
 #
 # Test build release artifacts (PyPI package, Docker images) and publish them on
 # pushed git tags.
 #
 name: Release
 # always build releases (to make sure wheel-building works)
 # but only publish to PyPI on tags
 on:
  pull_request:
    paths-ignore:
      - "docs/**"
      - "**.md"
      - "**.rst"
      - ".github/workflows/*"
      - "!.github/workflows/release.yml"
  push:
-    paths-ignore:
+  pull_request:
      - "docs/**"
      - "**.md"
      - "**.rst"
      - ".github/workflows/*"
      - "!.github/workflows/release.yml"
    branches-ignore:
      - "dependabot/**"
      - "pre-commit-ci-update-config"
    tags:
      - "**"
  workflow_dispatch:
 jobs:
  build-release:
    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v2
        with:
-          python-version: "3.9"
+          python-version: 3.8
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v1
        with:
          node-version: "14"
-      - name: install build requirements
+      - name: install build package
        run: |
          npm install -g yarn
          pip install --upgrade pip
          pip install build
          pip freeze
@@ -53,21 +31,28 @@ jobs:
          python -m build --sdist --wheel .
          ls -l dist
-      - name: verify sdist
+      - name: verify wheel
        run: |
-          ./ci/check_sdist.py dist/jupyterhub-*.tar.gz
+          cd dist
-
+          pip install ./*.whl
-      - name: verify data-files are installed where they are found
+          # verify data-files are installed where they are found
-        run: |
+          cat <<EOF | python
-          pip install dist/*.whl
+          import os
-          ./ci/check_installed_data.py
+          from jupyterhub._data import DATA_FILES_PATH
-
+          print(f"DATA_FILES_PATH={DATA_FILES_PATH}")
-      - name: verify sdist can be installed without npm/yarn
+          assert os.path.exists(DATA_FILES_PATH), DATA_FILES_PATH
-        run: |
+          for subpath in (
-          docker run --rm -v $PWD/dist:/dist:ro docker.io/library/python:3.9-slim-bullseye bash -c 'pip install /dist/jupyterhub-*.tar.gz'
+              "templates/page.html",
              "static/css/style.min.css",
              "static/components/jquery/dist/jquery.js",
          ):
              path = os.path.join(DATA_FILES_PATH, subpath)
              assert os.path.exists(path), path
          print("OK")
          EOF
      # ref: https://github.com/actions/upload-artifact#readme
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v2
        with:
          name: jupyterhub-${{ github.sha }}
          path: "dist/*"
@@ -84,7 +69,6 @@ jobs:
  publish-docker:
    runs-on: ubuntu-20.04
    timeout-minutes: 20
    services:
      # So that we can test this in PRs/branches
@@ -103,16 +87,17 @@ jobs:
              echo "REGISTRY=localhost:5000/" >> $GITHUB_ENV
          fi
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
      # Setup docker to build for multiple platforms, see:
      # https://github.com/docker/build-push-action/tree/v2.4.0#usage
      # https://github.com/docker/build-push-action/blob/v2.4.0/docs/advanced/multi-platform.md
      - name: Set up QEMU (for docker buildx)
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@25f0500ff22e406f7191a2a8ba8cda16901ca018 # associated tag: v1.0.2
      - name: Set up Docker Buildx (for multi-arch builds)
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@2a4b53665e15ce7d7049afb11ff1f70ff1610609 # associated tag: v1.1.2
        with:
          # Allows pushing to registry on localhost:5000
          driver-opts: network=host
@@ -131,8 +116,6 @@ jobs:
        run: |
          docker login -u "${{ secrets.DOCKERHUB_USERNAME }}" -p "${{ secrets.DOCKERHUB_TOKEN }}"
      # image: jupyterhub/jupyterhub
      #
      # https://github.com/jupyterhub/action-major-minor-tag-calculator
      # If this is a tagged build this will return additional parent tags.
      # E.g. 1.2.3 is expanded to Docker tags
@@ -142,15 +125,14 @@ jobs:
      # If GITHUB_TOKEN isn't available (e.g. in PRs) returns no tags [].
      - name: Get list of jupyterhub tags
        id: jupyterhubtags
-        uses: jupyterhub/action-major-minor-tag-calculator@v2
+        uses: jupyterhub/action-major-minor-tag-calculator@v1
        with:
          githubToken: ${{ secrets.GITHUB_TOKEN }}
          prefix: "${{ env.REGISTRY }}jupyterhub/jupyterhub:"
          defaultTag: "${{ env.REGISTRY }}jupyterhub/jupyterhub:noref"
          branchRegex: ^\w[\w-.]*$
      - name: Build and push jupyterhub
-        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671
+        uses: docker/build-push-action@e1b7f96249f2e4c8e4ac1519b9608c0d48944a1f # associated tag: v2.4.0
        with:
          context: .
          platforms: linux/amd64,linux/arm64
@@ -159,19 +141,18 @@ jobs:
          # array into a comma separated list of tags
          tags: ${{ join(fromJson(steps.jupyterhubtags.outputs.tags)) }}
-      # image: jupyterhub/jupyterhub-onbuild
+      # jupyterhub-onbuild
-      #
+
      - name: Get list of jupyterhub-onbuild tags
        id: onbuildtags
-        uses: jupyterhub/action-major-minor-tag-calculator@v2
+        uses: jupyterhub/action-major-minor-tag-calculator@v1
        with:
          githubToken: ${{ secrets.GITHUB_TOKEN }}
          prefix: "${{ env.REGISTRY }}jupyterhub/jupyterhub-onbuild:"
          defaultTag: "${{ env.REGISTRY }}jupyterhub/jupyterhub-onbuild:noref"
          branchRegex: ^\w[\w-.]*$
      - name: Build and push jupyterhub-onbuild
-        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671
+        uses: docker/build-push-action@e1b7f96249f2e4c8e4ac1519b9608c0d48944a1f # associated tag: v2.4.0
        with:
          build-args: |
            BASE_IMAGE=${{ fromJson(steps.jupyterhubtags.outputs.tags)[0] }}
@@ -180,19 +161,18 @@ jobs:
          push: true
          tags: ${{ join(fromJson(steps.onbuildtags.outputs.tags)) }}
-      # image: jupyterhub/jupyterhub-demo
+      # jupyterhub-demo
-      #
+
      - name: Get list of jupyterhub-demo tags
        id: demotags
-        uses: jupyterhub/action-major-minor-tag-calculator@v2
+        uses: jupyterhub/action-major-minor-tag-calculator@v1
        with:
          githubToken: ${{ secrets.GITHUB_TOKEN }}
          prefix: "${{ env.REGISTRY }}jupyterhub/jupyterhub-demo:"
          defaultTag: "${{ env.REGISTRY }}jupyterhub/jupyterhub-demo:noref"
          branchRegex: ^\w[\w-.]*$
      - name: Build and push jupyterhub-demo
-        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671
+        uses: docker/build-push-action@e1b7f96249f2e4c8e4ac1519b9608c0d48944a1f # associated tag: v2.4.0
        with:
          build-args: |
            BASE_IMAGE=${{ fromJson(steps.onbuildtags.outputs.tags)[0] }}
@@ -203,24 +183,3 @@ jobs:
          platforms: linux/amd64
          push: true
          tags: ${{ join(fromJson(steps.demotags.outputs.tags)) }}
      # image: jupyterhub/singleuser
      #
      - name: Get list of jupyterhub/singleuser tags
        id: singleusertags
        uses: jupyterhub/action-major-minor-tag-calculator@v2
        with:
          githubToken: ${{ secrets.GITHUB_TOKEN }}
          prefix: "${{ env.REGISTRY }}jupyterhub/singleuser:"
          defaultTag: "${{ env.REGISTRY }}jupyterhub/singleuser:noref"
          branchRegex: ^\w[\w-.]*$
      - name: Build and push jupyterhub/singleuser
        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671
        with:
          build-args: |
            JUPYTERHUB_VERSION=${{ github.ref_type == 'tag' && github.ref_name || format('git:{0}', github.sha) }}
          context: singleuser
          platforms: linux/amd64,linux/arm64
          push: true
          tags: ${{ join(fromJson(steps.singleusertags.outputs.tags)) }}
--- a/.github/workflows/support-bot.yml
+++ b/.github/workflows/support-bot.yml
@@ -1,31 +0,0 @@
 # https://github.com/dessant/support-requests
 name: "Support Requests"
 on:
  issues:
    types: [labeled, unlabeled, reopened]
 permissions:
  issues: write
 jobs:
  action:
    runs-on: ubuntu-latest
    steps:
      - uses: dessant/support-requests@v3
        with:
          github-token: ${{ github.token }}
          support-label: "support"
          issue-comment: |
            Hi there @{issue-author} :wave:!
            I closed this issue because it was labelled as a support question.
            Please help us organize discussion by posting this on the http://discourse.jupyter.org/ forum.
            Our goal is to sustain a positive experience for both users and developers. We use GitHub issues for specific discussions related to changing a repository's content, and let the forum be where we can more generally help and inspire each other.
            Thank you for being an active member of our community! :heart:
          close-issue: true
          lock-issue: false
          issue-lock-reason: "off-topic"
--- a/.github/workflows/test-docs.yml
+++ b/.github/workflows/test-docs.yml
@@ -1,107 +0,0 @@
 # This is a GitHub workflow defining a set of jobs with a set of steps.
 # ref: https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions
 #
 # This workflow validates the REST API definition and runs the pytest tests in
 # the docs/ folder. This workflow does not build the documentation. That is
 # instead tested via ReadTheDocs (https://readthedocs.org/projects/jupyterhub/).
 #
 name: Test docs
 # The tests defined in docs/ are currently influenced by changes to _version.py
 # and scopes.py.
 on:
  pull_request:
    paths:
      - "docs/**"
      - "jupyterhub/_version.py"
      - "jupyterhub/scopes.py"
      - ".github/workflows/test-docs.yml"
  push:
    paths:
      - "docs/**"
      - "jupyterhub/_version.py"
      - "jupyterhub/scopes.py"
      - ".github/workflows/test-docs.yml"
    branches-ignore:
      - "dependabot/**"
      - "pre-commit-ci-update-config"
    tags:
      - "**"
  workflow_dispatch:
 env:
  # UTF-8 content may be interpreted as ascii and causes errors without this.
  LANG: C.UTF-8
  PYTEST_ADDOPTS: "--verbose --color=yes"
 jobs:
  validate-rest-api-definition:
    runs-on: ubuntu-20.04
    steps:
      - uses: actions/checkout@v3
      - name: Validate REST API definition
        uses: char0n/swagger-editor-validate@v1.3.2
        with:
          definition-file: docs/source/_static/rest-api.yml
  test-docs:
    runs-on: ubuntu-20.04
    steps:
      - uses: actions/checkout@v3
        with:
          # make rediraffecheckdiff requires git history to compare current
          # commit with the main branch and previous releases.
          fetch-depth: 0
      - uses: actions/setup-python@v4
        with:
          python-version: "3.9"
      - name: Install requirements
        run: |
          pip install -r docs/requirements.txt pytest
      - name: pytest docs/
        run: |
          pytest docs/
      # readthedocs doesn't halt on warnings,
      # so raise any warnings here
      - name: build docs
        run: |
          cd docs
          make html
      - name: check links
        run: |
          cd docs
          make linkcheck
      # make rediraffecheckdiff compares files for different changesets
      # these diff targets aren't always available
      # - compare with base ref (usually 'main', always on 'origin') for pull requests
      # - only compare with tags when running against jupyterhub/jupyterhub
      #   to avoid errors on forks, which often lack tags
      - name: check redirects for this PR
        if: github.event_name == 'pull_request'
        run: |
          cd docs
          export REDIRAFFE_BRANCH=origin/${{ github.base_ref }}
          make rediraffecheckdiff
      # this should check currently published 'stable' links for redirects
      - name: check redirects since last release
        if: github.repository == 'jupyterhub/jupyterhub'
        run: |
          cd docs
          export REDIRAFFE_BRANCH=$(git describe --tags --abbrev=0)
          make rediraffecheckdiff
      # longer-term redirect check (fixed version) for older links
      - name: check redirects since 3.0.0
        if: github.repository == 'jupyterhub/jupyterhub'
        run: |
          cd docs
          export REDIRAFFE_BRANCH=3.0.0
          make rediraffecheckdiff
--- a/.github/workflows/test-jsx.yml
+++ b/.github/workflows/test-jsx.yml
@@ -1,52 +0,0 @@
 # This is a GitHub workflow defining a set of jobs with a set of steps.
 # ref: https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions
 #
 name: Test jsx (admin-react.js)
 on:
  pull_request:
    paths:
      - "jsx/**"
      - ".github/workflows/test-jsx.yml"
  push:
    paths:
      - "jsx/**"
      - ".github/workflows/test-jsx.yml"
    branches-ignore:
      - "dependabot/**"
      - "pre-commit-ci-update-config"
    tags:
      - "**"
  workflow_dispatch:
 permissions:
  contents: read
 jobs:
  # The ./jsx folder contains React based source code files that are to compile
  # to share/jupyterhub/static/js/admin-react.js. The ./jsx folder includes
  # tests also has tests that this job is meant to run with `yarn test`
  # according to the documentation in jsx/README.md.
  test-jsx-admin-react:
    runs-on: ubuntu-20.04
    timeout-minutes: 5
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: "14"
      - name: Install yarn
        run: |
          npm install -g yarn
      - name: yarn
        run: |
          cd jsx
          yarn
      - name: yarn test
        run: |
          cd jsx
          yarn test
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,43 +1,60 @@
 # This is a GitHub workflow defining a set of jobs with a set of steps.
-# ref: https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions
+# ref: https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions
 #
 name: Test
 # Trigger the workflow's on all PRs but only on pushed tags or commits to
 # main/master branch to avoid PRs developed in a GitHub fork's dedicated branch
 # to trigger.
 on:
  pull_request:
    paths-ignore:
      - "docs/**"
      - "**.md"
      - "**.rst"
      - ".github/workflows/*"
      - "!.github/workflows/test.yml"
  push:
    paths-ignore:
      - "docs/**"
      - "**.md"
      - "**.rst"
      - ".github/workflows/*"
      - "!.github/workflows/test.yml"
    branches-ignore:
      - "dependabot/**"
      - "pre-commit-ci-update-config"
    tags:
      - "**"
  workflow_dispatch:
 defaults:
  run:
    # Declare bash be used by default in this workflow's "run" steps.
    #
    # NOTE: bash will by default run with:
    #   --noprofile: Ignore ~/.profile etc.
    #   --norc:      Ignore ~/.bashrc etc.
    #   -e:          Exit directly on errors
    #   -o pipefail: Don't mask errors from a command piped into another command
    shell: bash
 env:
  # UTF-8 content may be interpreted as ascii and causes errors without this.
  LANG: C.UTF-8
  SQLALCHEMY_WARN_20: "1"
 permissions:
  contents: read
 jobs:
  # Run "pre-commit run --all-files"
  pre-commit:
    runs-on: ubuntu-20.04
    timeout-minutes: 2
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: 3.8
      # ref: https://github.com/pre-commit/action
      - uses: pre-commit/action@v2.0.0
      - name: Help message if pre-commit fail
        if: ${{ failure() }}
        run: |
          echo "You can install pre-commit hooks to automatically run formatting"
          echo "on each commit with:"
          echo "    pre-commit install"
          echo "or you can run by hand on staged files with"
          echo "    pre-commit run"
          echo "or after-the-fact on already committed files with"
          echo "    pre-commit run --all-files"
  # Run "pytest jupyterhub/tests" in various configurations
  pytest:
    runs-on: ubuntu-20.04
-    timeout-minutes: 15
+    timeout-minutes: 10
    strategy:
      # Keep running even if one variation of the job fail
@@ -56,9 +73,9 @@ jobs:
        #   Tests everything when JupyterHub works against a dedicated mysql or
        #   postgresql server.
        #
-        # legacy_notebook:
+        # jupyter_server:
        #   Tests everything when the user instances are started with
-        #   the legacy notebook server instead of jupyter_server.
+        #   jupyter_server instead of notebook.
        #
        # ssl:
        #   Tests everything using internal SSL connections instead of
@@ -66,41 +83,25 @@ jobs:
        #
        # main_dependencies:
        #   Tests everything when the we use the latest available dependencies
-        #   from: traitlets.
+        #   from: ipytraitlets.
        #
        # NOTE: Since only the value of these parameters are presented in the
        #       GitHub UI when the workflow run, we avoid using true/false as
        #       values by instead duplicating the name to signal true.
        # Python versions available at:
        #   https://github.com/actions/python-versions/blob/HEAD/versions-manifest.json
        include:
-          - python: "3.7"
+          - python: "3.6"
            oldest_dependencies: oldest_dependencies
-            legacy_notebook: legacy_notebook
+          - python: "3.6"
-          - python: "3.8"
+            subdomain: subdomain
-            jupyter_server: "1.*"
+          - python: "3.7"
            subset: singleuser
          - python: "3.9"
            db: mysql
-          - python: "3.10"
+          - python: "3.7"
            ssl: ssl
          - python: "3.8"
            db: postgres
-          - python: "3.11"
+          - python: "3.8"
-            subdomain: subdomain
+            jupyter_server: jupyter_server
-            serverextension: serverextension
+          - python: "3.9"
          - python: "3.11"
            ssl: ssl
            serverextension: serverextension
          - python: "3.11"
            subdomain: subdomain
            noextension: noextension
            subset: singleuser
          - python: "3.11"
            ssl: ssl
            noextension: noextension
            subset: singleuser
          - python: "3.11"
            browser: browser
          - python: "3.11"
            main_dependencies: main_dependencies
    steps:
@@ -114,7 +115,7 @@ jobs:
          fi
          if [ "${{ matrix.db }}" == "mysql" ]; then
              echo "MYSQL_HOST=127.0.0.1" >> $GITHUB_ENV
-              echo "JUPYTERHUB_TEST_DB_URL=mysql+mysqldb://root@127.0.0.1:3306/jupyterhub" >> $GITHUB_ENV
+              echo "JUPYTERHUB_TEST_DB_URL=mysql+mysqlconnector://root@127.0.0.1:3306/jupyterhub" >> $GITHUB_ENV
          fi
          if [ "${{ matrix.ssl }}" == "ssl" ]; then
              echo "SSL_ENABLED=1" >> $GITHUB_ENV
@@ -125,35 +126,32 @@ jobs:
              echo "PGPASSWORD=hub[test/:?" >> $GITHUB_ENV
              echo "JUPYTERHUB_TEST_DB_URL=postgresql://test_user:hub%5Btest%2F%3A%3F@127.0.0.1:5432/jupyterhub" >> $GITHUB_ENV
          fi
-          if [ "${{ matrix.serverextension }}" != "" ]; then
+          if [ "${{ matrix.jupyter_server }}" != "" ]; then
-              echo "JUPYTERHUB_SINGLEUSER_EXTENSION=1" >> $GITHUB_ENV
+              echo "JUPYTERHUB_SINGLEUSER_APP=jupyterhub.tests.mockserverapp.MockServerApp" >> $GITHUB_ENV
          elif [ "${{ matrix.noextension }}" != "" ]; then
              echo "JUPYTERHUB_SINGLEUSER_EXTENSION=0" >> $GITHUB_ENV
          fi
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
-      # NOTE: actions/setup-node@v3 make use of a cache within the GitHub base
+      # NOTE: actions/setup-node@v1 make use of a cache within the GitHub base
      #       environment and setup in a fraction of a second.
      - name: Install Node v14
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v1
        with:
          node-version: "14"
-      - name: Install Javascript dependencies
+      - name: Install Node dependencies
        run: |
          npm install
-          npm install -g configurable-http-proxy yarn
+          npm install -g configurable-http-proxy
          npm list
-      # NOTE: actions/setup-python@v4 make use of a cache within the GitHub base
+      # NOTE: actions/setup-python@v2 make use of a cache within the GitHub base
      #       environment and setup in a fraction of a second.
      - name: Install Python ${{ matrix.python }}
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v2
        with:
-          python-version: "${{ matrix.python }}"
+          python-version: ${{ matrix.python }}
      - name: Install Python dependencies
        run: |
          pip install --upgrade pip
-          pip install -e ".[test]"
+          pip install --upgrade . -r dev-requirements.txt
          if [ "${{ matrix.oldest_dependencies }}" != "" ]; then
            # take any dependencies in requirements.txt such as tornado>=5.0
@@ -164,27 +162,18 @@ jobs:
          fi
          if [ "${{ matrix.main_dependencies }}" != "" ]; then
-              # Tests are broken:
+              pip install git+https://github.com/ipython/traitlets#egg=traitlets --force
              # https://github.com/jupyterhub/jupyterhub/issues/4418
              # pip install git+https://github.com/ipython/traitlets#egg=traitlets --force
              pip install --upgrade --pre sqlalchemy
          fi
          if [ "${{ matrix.legacy_notebook }}" != "" ]; then
              pip uninstall jupyter_server --yes
              pip install 'notebook<7'
          fi
          if [ "${{ matrix.jupyter_server }}" != "" ]; then
-              pip install "jupyter_server==${{ matrix.jupyter_server }}"
+              pip uninstall notebook --yes
              pip install jupyter_server
          fi
          if [ "${{ matrix.db }}" == "mysql" ]; then
-              pip install mysqlclient
+              pip install mysql-connector-python
          fi
          if [ "${{ matrix.db }}" == "postgres" ]; then
              pip install psycopg2-binary
          fi
          if [ "${{ matrix.serverextension }}" != "" ]; then
            pip install 'jupyter-server>=2'
          fi
          pip freeze
@@ -213,47 +202,39 @@ jobs:
        if: ${{ matrix.db }}
        run: |
          if [ "${{ matrix.db }}" == "mysql" ]; then
            if [[ -z "$(which mysql)" ]]; then
              sudo apt-get update
              sudo apt-get install -y mysql-client
            fi
              DB=mysql bash ci/docker-db.sh
              DB=mysql bash ci/init-db.sh
          fi
          if [ "${{ matrix.db }}" == "postgres" ]; then
            if [[ -z "$(which psql)" ]]; then
              sudo apt-get update
              sudo apt-get install -y postgresql-client
            fi
              DB=postgres bash ci/docker-db.sh
              DB=postgres bash ci/init-db.sh
          fi
      - name: Configure browser tests
        if: matrix.browser
        run: echo "PYTEST_ADDOPTS=$PYTEST_ADDOPTS -m browser" >> "${GITHUB_ENV}"
      - name: Ensure browsers are installed for playwright
        if: matrix.browser
        run: python -m playwright install --with-deps
      - name: Run pytest
        # FIXME: --color=yes explicitly set because:
        #        https://github.com/actions/runner/issues/241
        run: |
-          pytest -k "${{ matrix.subset }}" --maxfail=2 --cov=jupyterhub jupyterhub/tests
+          pytest -v --maxfail=2 --color=yes --cov=jupyterhub jupyterhub/tests
-
+      - name: Submit codecov report
-      - uses: codecov/codecov-action@v3
+        run: |
          codecov
  docker-build:
    runs-on: ubuntu-20.04
-    timeout-minutes: 20
+    timeout-minutes: 10
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
      - name: build images
        run: |
-          DOCKER_BUILDKIT=1 docker build -t jupyterhub/jupyterhub .
+          docker build -t jupyterhub/jupyterhub .
          docker build -t jupyterhub/jupyterhub-onbuild onbuild
          docker build -t jupyterhub/jupyterhub:alpine -f dockerfiles/Dockerfile.alpine .
          docker build -t jupyterhub/singleuser singleuser
      - name: smoke test jupyterhub
--- a/.gitignore
+++ b/.gitignore
@@ -8,22 +8,16 @@ dist
 docs/_build
 docs/build
 docs/source/_static/rest-api
 docs/source/rbac/scope-table.md
 docs/source/reference/metrics.md
 .ipynb_checkpoints
 jsx/build/
 # ignore config file at the top-level of the repo
 # but not sub-dirs
 /jupyterhub_config.py
 jupyterhub_cookie_secret
 jupyterhub.sqlite
 jupyterhub.sqlite*
 package-lock.json
 share/jupyterhub/static/components
 share/jupyterhub/static/css/style.min.css
 share/jupyterhub/static/css/style.min.css.map
 share/jupyterhub/static/js/admin-react.js*
 *.egg-info
 MANIFEST
 .coverage
@@ -35,5 +29,3 @@ htmlcov
 pip-wheel-metadata
 docs/source/reference/metrics.rst
 oldest-requirements.txt
 jupyterhub-proxy.pid
 examples/server-api/service-token
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,66 +1,24 @@
 # pre-commit is a tool to perform a predefined set of tasks manually and/or
 # automatically before git commits are made.
 #
 # Config reference: https://pre-commit.com/#pre-commit-configyaml---top-level
 #
 # Common tasks
 #
 # - Run on all files:   pre-commit run --all-files
 # - Register git hooks: pre-commit install --install-hooks
 #
 ci:
  # pre-commit.ci will open PRs updating our hooks once a month
  autoupdate_schedule: monthly
 repos:
-  # Autoformat: Python code, syntax patterns are modernized
+  - repo: https://github.com/asottile/reorder_python_imports
-  - repo: https://github.com/asottile/pyupgrade
+    rev: v1.9.0
    rev: v3.4.0
    hooks:
-      - id: pyupgrade
+      - id: reorder-python-imports
        args:
          - --py37-plus
  # Autoformat: Python code
  - repo: https://github.com/PyCQA/autoflake
    rev: v2.1.1
    hooks:
      - id: autoflake
        # args ref: https://github.com/PyCQA/autoflake#advanced-usage
        args:
          - --in-place
  # Autoformat: Python code
  - repo: https://github.com/pycqa/isort
    rev: 5.12.0
    hooks:
      - id: isort
  # Autoformat: Python code
  - repo: https://github.com/psf/black
-    rev: 23.3.0
+    rev: 20.8b1
    hooks:
      - id: black
  # Autoformat: markdown, yaml, javascript (see the file .prettierignore)
  - repo: https://github.com/pre-commit/mirrors-prettier
-    rev: v3.0.0-alpha.9-for-vscode
+    rev: v2.2.1
    hooks:
      - id: prettier
-
+  - repo: https://gitlab.com/pycqa/flake8
-  # Autoformat and linting, misc. details
+    rev: "3.8.4"
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.4.0
    hooks:
      - id: end-of-file-fixer
        exclude: share/jupyterhub/static/js/admin-react.js
      - id: requirements-txt-fixer
      - id: check-case-conflict
      - id: check-executables-have-shebangs
  # Linting: Python code (see the file .flake8)
  - repo: https://github.com/PyCQA/flake8
    rev: "6.0.0"
    hooks:
      - id: flake8
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v3.4.0
    hooks:
      - id: end-of-file-fixer
      - id: check-case-conflict
      - id: check-executables-have-shebangs
      - id: requirements-txt-fixer
--- a/.prettierignore
+++ b/.prettierignore
@@ -1,3 +1 @@
 share/jupyterhub/templates/
 share/jupyterhub/static/js/admin-react.js
 jupyterhub/singleuser/templates/
--- a/.readthedocs.yaml
+++ b/.readthedocs.yaml
@@ -1,25 +0,0 @@
 # Configuration on how ReadTheDocs (RTD) builds our documentation
 # ref: https://readthedocs.org/projects/jupyterhub/
 # ref: https://docs.readthedocs.io/en/stable/config-file/v2.html
 #
 version: 2
 sphinx:
  configuration: docs/source/conf.py
 build:
  os: ubuntu-20.04
  tools:
    nodejs: "16"
    python: "3.9"
 python:
  install:
    - requirements: docs/requirements.txt
 formats:
  # Adding htmlzip enables a Downloads section in the rendered website's RTD
  # menu where the html build can be downloaded. This doesn't require any
  # additional configuration in docs/source/conf.py.
  #
  - htmlzip
--- a/CHECKLIST-Release.md
+++ b/CHECKLIST-Release.md
@@ -0,0 +1,26 @@
 # Release checklist
 - [ ] Upgrade Docs prior to Release
  - [ ] Change log
  - [ ] New features documented
  - [ ] Update the contributor list - thank you page
 - [ ] Upgrade and test Reference Deployments
 - [ ] Release software
  - [ ] Make sure 0 issues in milestone
  - [ ] Follow release process steps
  - [ ] Send builds to PyPI (Warehouse) and Conda Forge
 - [ ] Blog post and/or release note
 - [ ] Notify users of release
  - [ ] Email Jupyter and Jupyter In Education mailing lists
  - [ ] Tweet (optional)
 - [ ] Increment the version number for the next release
 - [ ] Update roadmap
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -6,9 +6,134 @@ you can follow the [Jupyter contributor guide](https://jupyter.readthedocs.io/en
 Make sure to also follow [Project Jupyter's Code of Conduct](https://github.com/jupyter/governance/blob/HEAD/conduct/code_of_conduct.md)
 for a friendly and welcoming collaborative environment.
-Please see our documentation on
+## Setting up a development environment
- [Setting up a development install](https://jupyterhub.readthedocs.io/en/latest/contributing/setup.html)
+<!--
- [Testing JupyterHub and linting code](https://jupyterhub.readthedocs.io/en/latest/contributing/tests.html)
+https://jupyterhub.readthedocs.io/en/stable/contributing/setup.html
 contains a lot of the same information. Should we merge the docs and
 just have this page link to that one?
 -->
-If you need some help, feel free to ask on [Gitter](https://gitter.im/jupyterhub/jupyterhub) or [Discourse](https://discourse.jupyter.org/).
+JupyterHub requires Python >= 3.5 and nodejs.
 As a Python project, a development install of JupyterHub follows standard practices for the basics (steps 1-2).
 1. clone the repo
   ```bash
   git clone https://github.com/jupyterhub/jupyterhub
   ```
 2. do a development install with pip
   ```bash
   cd jupyterhub
   python3 -m pip install --editable .
   ```
 3. install the development requirements,
   which include things like testing tools
   ```bash
   python3 -m pip install -r dev-requirements.txt
   ```
 4. install configurable-http-proxy with npm:
   ```bash
   npm install -g configurable-http-proxy
   ```
 5. set up pre-commit hooks for automatic code formatting, etc.
   ```bash
   pre-commit install
   ```
   You can also invoke the pre-commit hook manually at any time with
   ```bash
   pre-commit run
   ```
 ## Contributing
 JupyterHub has adopted automatic code formatting so you shouldn't
 need to worry too much about your code style.
 As long as your code is valid,
 the pre-commit hook should take care of how it should look.
 You can invoke the pre-commit hook by hand at any time with:
 ```bash
 pre-commit run
 ```
 which should run any autoformatting on your code
 and tell you about any errors it couldn't fix automatically.
 You may also install [black integration](https://github.com/psf/black#editor-integration)
 into your text editor to format code automatically.
 If you have already committed files before setting up the pre-commit
 hook with `pre-commit install`, you can fix everything up using
 `pre-commit run --all-files`. You need to make the fixing commit
 yourself after that.
 ## Testing
 It's a good idea to write tests to exercise any new features,
 or that trigger any bugs that you have fixed to catch regressions.
 You can run the tests with:
 ```bash
 pytest -v
 ```
 in the repo directory. If you want to just run certain tests,
 check out the [pytest docs](https://pytest.readthedocs.io/en/latest/usage.html)
 for how pytest can be called.
 For instance, to test only spawner-related things in the REST API:
 ```bash
 pytest -v -k spawn jupyterhub/tests/test_api.py
 ```
 The tests live in `jupyterhub/tests` and are organized roughly into:
 1. `test_api.py` tests the REST API
 2. `test_pages.py` tests loading the HTML pages
 and other collections of tests for different components.
 When writing a new test, there should usually be a test of
 similar functionality already written and related tests should
 be added nearby.
 The fixtures live in `jupyterhub/tests/conftest.py`. There are
 fixtures that can be used for JupyterHub components, such as:
 - `app`: an instance of JupyterHub with mocked parts
 - `auth_state_enabled`: enables persisting auth_state (like authentication tokens)
 - `db`: a sqlite in-memory DB session
 - `io_loop`: a Tornado event loop
 - `event_loop`: a new asyncio event loop
 - `user`: creates a new temporary user
 - `admin_user`: creates a new temporary admin user
 - single user servers
  - `cleanup_after`: allows cleanup of single user servers between tests
 - mocked service
  - `MockServiceSpawner`: a spawner that mocks services for testing with a short poll interval
  - `mockservice`: mocked service with no external service url
  - `mockservice_url`: mocked service with a url to test external services
 And fixtures to add functionality or spawning behavior:
 - `admin_access`: grants admin access
 - `no_patience`: sets slow-spawning timeouts to zero
 - `slow_spawn`: enables the SlowSpawner (a spawner that takes a few seconds to start)
 - `never_spawn`: enables the NeverSpawner (a spawner that will never start)
 - `bad_spawn`: enables the BadSpawner (a spawner that fails immediately)
 - `slow_bad_spawn`: enables the SlowBadSpawner (a spawner that fails after a short delay)
 To read more about fixtures check out the
 [pytest docs](https://docs.pytest.org/en/latest/fixture.html)
 for how to use the existing fixtures, and how to create new ones.
 When in doubt, feel free to [ask](https://gitter.im/jupyterhub/jupyterhub).
--- a/123
+++ b/123
@@ -21,116 +21,81 @@
 # your jupyterhub_config.py will be added automatically
 # from your docker directory.
-######################################################################
+ARG BASE_IMAGE=ubuntu:focal-20200729
-# This Dockerfile uses multi-stage builds with optimisations to build
+FROM $BASE_IMAGE AS builder
 # the JupyterHub wheel on the native architecture only
 # https://www.docker.com/blog/faster-multi-platform-builds-dockerfile-cross-compilation-guide/
-ARG BASE_IMAGE=ubuntu:22.04
+USER root
-
+ENV DEBIAN_FRONTEND noninteractive
-######################################################################
+RUN apt-get update \
-# The JupyterHub wheel is pure Python so can be built for any platform
+ && apt-get install -yq --no-install-recommends \
 # on the native architecture (avoiding QEMU emulation)
 FROM --platform=${BUILDPLATFORM:-linux/amd64} $BASE_IMAGE AS jupyterhub-builder
 ENV DEBIAN_FRONTEND=noninteractive
 # Don't clear apt cache, and don't combine RUN commands, so that cached layers can
 # be reused in other stages
 RUN apt-get update -qq \
 && apt-get install -yqq --no-install-recommends \
    build-essential \
    ca-certificates \
    curl \
    locales \
    python3-dev \
    python3-pip \
    python3-pycurl \
    python3-venv \
 && python3 -m pip install --no-cache-dir --upgrade setuptools pip build wheel
 # Ubuntu 22.04 comes with Nodejs 12 which is too old for building JupyterHub JS
 # It's fine at runtime though (used only by configurable-http-proxy)
 RUN curl -fsSL https://deb.nodesource.com/setup_18.x | bash - \
 && apt-get install -yqq --no-install-recommends \
    nodejs \
- && npm install --global yarn
+    npm \
 && apt-get clean \
 && rm -rf /var/lib/apt/lists/*
 RUN python3 -m pip install --upgrade setuptools pip wheel
 WORKDIR /src/jupyterhub
 # copy everything except whats in .dockerignore, its a
 # compromise between needing to rebuild and maintaining
 # what needs to be part of the build
-COPY . .
+COPY . /src/jupyterhub/
 WORKDIR /src/jupyterhub
-ARG PIP_CACHE_DIR=/tmp/pip-cache
+# Build client component packages (they will be copied into ./share and
-RUN --mount=type=cache,target=${PIP_CACHE_DIR} \
+# packaged with the built wheel.)
-    python3 -m build --wheel
+RUN python3 setup.py bdist_wheel
 RUN python3 -m pip wheel --wheel-dir wheelhouse dist/*.whl
-######################################################################
+FROM $BASE_IMAGE
-# All other wheels required by JupyterHub, some are platform specific
+
-FROM $BASE_IMAGE AS wheel-builder
+USER root
 ENV DEBIAN_FRONTEND=noninteractive
-RUN apt-get update -qq \
+RUN apt-get update \
- && apt-get install -yqq --no-install-recommends \
+ && apt-get install -yq --no-install-recommends \
    build-essential \
    ca-certificates \
    curl \
    gnupg \
    locales \
    python3-dev \
    python3-pip \
    python3-pycurl \
-    python3-venv \
+    nodejs \
- && python3 -m pip install --no-cache-dir --upgrade setuptools pip build wheel
+    npm \
 && apt-get clean \
 && rm -rf /var/lib/apt/lists/*
-WORKDIR /src/jupyterhub
+ENV SHELL=/bin/bash \
 COPY --from=jupyterhub-builder /src/jupyterhub/dist/*.whl /src/jupyterhub/dist/
 ARG PIP_CACHE_DIR=/tmp/pip-cache
 RUN --mount=type=cache,target=${PIP_CACHE_DIR} \
    python3 -m pip wheel --wheel-dir wheelhouse dist/*.whl
 ######################################################################
 # The final JupyterHub image, platform specific
 FROM $BASE_IMAGE AS jupyterhub
 ENV DEBIAN_FRONTEND=noninteractive \
    SHELL=/bin/bash \
    LC_ALL=en_US.UTF-8 \
    LANG=en_US.UTF-8 \
-    LANGUAGE=en_US.UTF-8 \
+    LANGUAGE=en_US.UTF-8
-    PYTHONDONTWRITEBYTECODE=1
+
 RUN  locale-gen $LC_ALL
 # always make sure pip is up to date!
 RUN python3 -m pip install --no-cache --upgrade setuptools pip
 RUN npm install -g configurable-http-proxy@^4.2.0 \
 && rm -rf ~/.npm
 # install the wheels we built in the first stage
 COPY --from=builder /src/jupyterhub/wheelhouse /tmp/wheelhouse
 RUN python3 -m pip install --no-cache /tmp/wheelhouse/*
 RUN mkdir -p /srv/jupyterhub/
 WORKDIR /srv/jupyterhub/
 EXPOSE 8000
 LABEL maintainer="Jupyter Project <jupyter@googlegroups.com>"
 LABEL org.jupyter.service="jupyterhub"
 WORKDIR /srv/jupyterhub
 RUN apt-get update -qq \
 && apt-get install -yqq --no-install-recommends \
    ca-certificates \
    curl \
    gnupg \
    locales \
    python-is-python3 \
    python3-pip \
    python3-pycurl \
    nodejs \
    npm \
 && locale-gen $LC_ALL \
 && npm install -g configurable-http-proxy@^4.2.0 \
 # clean cache and logs
 && rm -rf /var/lib/apt/lists/* /var/log/* /var/tmp/* ~/.npm
 # install the wheels we built in the previous stage
 RUN --mount=type=cache,from=wheel-builder,source=/src/jupyterhub/wheelhouse,target=/tmp/wheelhouse \
    # always make sure pip is up to date!
    python3 -m pip install --no-compile --no-cache-dir --upgrade setuptools pip \
 && python3 -m pip install --no-compile --no-cache-dir /tmp/wheelhouse/*
 CMD ["jupyterhub"]
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -8,7 +8,6 @@ include *requirements.txt
 include Dockerfile
 graft onbuild
 graft jsx
 graft jupyterhub
 graft scripts
 graft share
@@ -19,10 +18,6 @@ graft ci
 graft docs
 prune docs/node_modules
 # Intermediate javascript files
 prune jsx/node_modules
 prune jsx/build
 # prune some large unused files from components
 prune share/jupyterhub/static/components/bootstrap/dist/css
 exclude share/jupyterhub/static/components/bootstrap/dist/fonts/*.svg
--- a/README.md
+++ b/README.md
@@ -6,28 +6,27 @@
 **[License](#license)** |
 **[Help and Resources](#help-and-resources)**
 ---
 # [JupyterHub](https://github.com/jupyterhub/jupyterhub)
 [![Latest PyPI version](https://img.shields.io/pypi/v/jupyterhub?logo=pypi)](https://pypi.python.org/pypi/jupyterhub)
-[![Latest conda-forge version](https://img.shields.io/conda/vn/conda-forge/jupyterhub?logo=conda-forge)](https://anaconda.org/conda-forge/jupyterhub)
+[![Latest conda-forge version](https://img.shields.io/conda/vn/conda-forge/jupyterhub?logo=conda-forge)](https://www.npmjs.com/package/jupyterhub)
 [![Documentation build status](https://img.shields.io/readthedocs/jupyterhub?logo=read-the-docs)](https://jupyterhub.readthedocs.org/en/latest/)
 [![GitHub Workflow Status - Test](https://img.shields.io/github/workflow/status/jupyterhub/jupyterhub/Test?logo=github&label=tests)](https://github.com/jupyterhub/jupyterhub/actions)
 [![DockerHub build status](https://img.shields.io/docker/build/jupyterhub/jupyterhub?logo=docker&label=build)](https://hub.docker.com/r/jupyterhub/jupyterhub/tags)
 [![CircleCI build status](https://img.shields.io/circleci/build/github/jupyterhub/jupyterhub?logo=circleci)](https://circleci.com/gh/jupyterhub/jupyterhub)<!-- CircleCI Token: b5b65862eb2617b9a8d39e79340b0a6b816da8cc -->
 [![Test coverage of code](https://codecov.io/gh/jupyterhub/jupyterhub/branch/main/graph/badge.svg)](https://codecov.io/gh/jupyterhub/jupyterhub)
 [![GitHub](https://img.shields.io/badge/issue_tracking-github-blue?logo=github)](https://github.com/jupyterhub/jupyterhub/issues)
 [![Discourse](https://img.shields.io/badge/help_forum-discourse-blue?logo=discourse)](https://discourse.jupyter.org/c/jupyterhub)
 [![Gitter](https://img.shields.io/badge/social_chat-gitter-blue?logo=gitter)](https://gitter.im/jupyterhub/jupyterhub)
 With [JupyterHub](https://jupyterhub.readthedocs.io) you can create a
-**multi-user Hub** that spawns, manages, and proxies multiple instances of the
+**multi-user Hub** which spawns, manages, and proxies multiple instances of the
 single-user [Jupyter notebook](https://jupyter-notebook.readthedocs.io)
 server.
 [Project Jupyter](https://jupyter.org) created JupyterHub to support many
 users. The Hub can offer notebook servers to a class of students, a corporate
-data science workgroup, a scientific research project, or a high-performance
+data science workgroup, a scientific research project, or a high performance
 computing group.
 ## Technical overview
@@ -41,30 +40,36 @@ Three main actors make up JupyterHub:
 Basic principles for operation are:
 - Hub launches a proxy.
- The Proxy forwards all requests to Hub by default.
+- Proxy forwards all requests to Hub by default.
- Hub handles login and spawns single-user servers on demand.
+- Hub handles login, and spawns single-user servers on demand.
- Hub configures proxy to forward URL prefixes to the single-user notebook
+- Hub configures proxy to forward url prefixes to the single-user notebook
  servers.
 JupyterHub also provides a
-[REST API][]
+[REST API](https://petstore3.swagger.io/?url=https://raw.githubusercontent.com/jupyter/jupyterhub/HEAD/docs/rest-api.yml#/default)
 for administration of the Hub and its users.
 [rest api]: https://jupyterhub.readthedocs.io/en/latest/reference/rest-api.html
 ## Installation
 ### Check prerequisites
 - A Linux/Unix based system
- [Python](https://www.python.org/downloads/) 3.6 or greater
+- [Python](https://www.python.org/downloads/) 3.5 or greater
 - [nodejs/npm](https://www.npmjs.com/)
  - If you are using **`conda`**, the nodejs and npm dependencies will be installed for
    you by conda.
-  - If you are using **`pip`**, install a recent version (at least 12.0) of
+  - If you are using **`pip`**, install a recent version of
    [nodejs/npm](https://docs.npmjs.com/getting-started/installing-node).
    For example, install it on Linux (Debian/Ubuntu) using:
    ```
    sudo apt-get install npm nodejs-legacy
    ```
    The `nodejs-legacy` package installs the `node` executable and is currently
    required for npm to work on Debian/Ubuntu.
 - If using the default PAM Authenticator, a [pluggable authentication module (PAM)](https://en.wikipedia.org/wiki/Pluggable_authentication_module).
 - TLS certificate and key for HTTPS communication
@@ -80,11 +85,12 @@ To install JupyterHub along with its dependencies including nodejs/npm:
 conda install -c conda-forge jupyterhub
 ```
-If you plan to run notebook servers locally, install JupyterLab or Jupyter notebook:
+If you plan to run notebook servers locally, install the Jupyter notebook
 or JupyterLab:
 ```bash
 conda install jupyterlab
 conda install notebook
 conda install jupyterlab
 ```
 #### Using `pip`
@@ -96,10 +102,10 @@ npm install -g configurable-http-proxy
 python3 -m pip install jupyterhub
 ```
-If you plan to run notebook servers locally, you will need to install
+If you plan to run notebook servers locally, you will need to install the
-[JupyterLab or Jupyter notebook](https://jupyter.readthedocs.io/en/latest/install.html):
+[Jupyter notebook](https://jupyter.readthedocs.io/en/latest/install.html)
 package:
    python3 -m pip install --upgrade jupyterlab
    python3 -m pip install --upgrade notebook
 ### Run the Hub server
@@ -108,9 +114,10 @@ To start the Hub server, run the command:
    jupyterhub
-Visit `http://localhost:8000` in your browser, and sign in with your system username and password.
+Visit `https://localhost:8000` in your browser, and sign in with your unix
 PAM credentials.
-_Note_: To allow multiple users to sign in to the server, you will need to
+_Note_: To allow multiple users to sign into the server, you will need to
 run the `jupyterhub` command as a _privileged user_, such as root.
 The [wiki](https://github.com/jupyterhub/jupyterhub/wiki/Using-sudo-to-run-JupyterHub-without-root-privileges)
 describes how to run the server as a _less privileged user_, which requires
@@ -118,7 +125,7 @@ more configuration of the system.
 ## Configuration
-The [Getting Started](https://jupyterhub.readthedocs.io/en/latest/tutorial/index.html#getting-started) section of the
+The [Getting Started](https://jupyterhub.readthedocs.io/en/latest/getting-started/index.html) section of the
 documentation explains the common steps in setting up JupyterHub.
 The [**JupyterHub tutorial**](https://github.com/jupyterhub/jupyterhub-tutorial)
@@ -181,7 +188,7 @@ this a good choice for **testing JupyterHub on your desktop or laptop**.
 If you want to run docker on a computer that has a public IP then you should
 (as in MUST) **secure it with ssl** by adding ssl options to your docker
-configuration or by using an ssl enabled proxy.
+configuration or by using a ssl enabled proxy.
 [Mounting volumes](https://docs.docker.com/engine/admin/volumes/volumes/) will
 allow you to **store data outside the docker image (host system) so it will be persistent**, even when you start
@@ -221,18 +228,19 @@ docker container or Linux VM.
 We use a shared copyright model that enables all contributors to maintain the
 copyright on their contributions.
-All code is licensed under the terms of the [revised BSD license](./COPYING.md).
+All code is licensed under the terms of the revised BSD license.
 ## Help and resources
-We encourage you to ask questions and share ideas on the [Jupyter community forum](https://discourse.jupyter.org/).
+We encourage you to ask questions on the [Jupyter mailing list](https://groups.google.com/forum/#!forum/jupyter).
-You can also talk with us on our JupyterHub [Gitter](https://gitter.im/jupyterhub/jupyterhub) channel.
+To participate in development discussions or get help, talk with us on
 our JupyterHub [Gitter](https://gitter.im/jupyterhub/jupyterhub) channel.
 - [Reporting Issues](https://github.com/jupyterhub/jupyterhub/issues)
 - [JupyterHub tutorial](https://github.com/jupyterhub/jupyterhub-tutorial)
- [Documentation for JupyterHub](https://jupyterhub.readthedocs.io/en/latest/)
+- [Documentation for JupyterHub](https://jupyterhub.readthedocs.io/en/latest/) | [PDF (latest)](https://media.readthedocs.org/pdf/jupyterhub/latest/jupyterhub.pdf) | [PDF (stable)](https://media.readthedocs.org/pdf/jupyterhub/stable/jupyterhub.pdf)
- [Documentation for JupyterHub's REST API][rest api]
+- [Documentation for JupyterHub's REST API](https://petstore3.swagger.io/?url=https://raw.githubusercontent.com/jupyter/jupyterhub/HEAD/docs/rest-api.yml#/default)
- [Documentation for Project Jupyter](http://jupyter.readthedocs.io/en/latest/index.html)
+- [Documentation for Project Jupyter](http://jupyter.readthedocs.io/en/latest/index.html) | [PDF](https://media.readthedocs.org/pdf/jupyter/latest/jupyter.pdf)
 - [Project Jupyter website](https://jupyter.org)
 - [Project Jupyter community](https://jupyter.org/community)
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -1,55 +0,0 @@
 # How to make a release
 `jupyterhub` is a package available on [PyPI][] and [conda-forge][].
 These are instructions on how to make a release.
 ## Pre-requisites
 - Push rights to [jupyterhub/jupyterhub][]
 - Push rights to [conda-forge/jupyterhub-feedstock][]
 ## Steps to make a release
 1. Create a PR updating `docs/source/changelog.md` with [github-activity][] and
   continue only when its merged.
   ```shell
   pip install github-activity
   github-activity --heading-level=3 jupyterhub/jupyterhub
   ```
 1. Checkout main and make sure it is up to date.
   ```shell
   git checkout main
   git fetch origin main
   git reset --hard origin/main
   ```
 1. Update the version, make commits, and push a git tag with `tbump`.
   ```shell
   pip install tbump
   tbump --dry-run ${VERSION}
   tbump ${VERSION}
   ```
   Following this, the [CI system][] will build and publish a release.
 1. Reset the version back to dev, e.g. `2.1.0.dev` after releasing `2.0.0`
   ```shell
   tbump --no-tag ${NEXT_VERSION}.dev
   ```
 1. Following the release to PyPI, an automated PR should arrive to
   [conda-forge/jupyterhub-feedstock][] with instructions.
 [pypi]: https://pypi.org/project/jupyterhub/
 [conda-forge]: https://anaconda.org/conda-forge/jupyterhub
 [jupyterhub/jupyterhub]: https://github.com/jupyterhub/jupyterhub
 [conda-forge/jupyterhub-feedstock]: https://github.com/conda-forge/jupyterhub-feedstock
 [github-activity]: https://github.com/executablebooks/github-activity
 [ci system]: https://github.com/jupyterhub/jupyterhub/actions/workflows/release.yml
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,5 +0,0 @@
 # Reporting a Vulnerability
 If you believe you’ve found a security vulnerability in a Jupyter
 project, please report it to security@ipython.org. If you prefer to
 encrypt your security reports, you can use [this PGP public key](https://jupyter-notebook.readthedocs.io/en/stable/_downloads/1d303a645f2505a8fd283826fafc9908/ipython_security.asc).
--- a/2
+++ b/2
@@ -29,5 +29,5 @@ dependencies = package_json['dependencies']
 for dep in dependencies:
    src = join(node_modules, dep)
    dest = join(components, dep)
-    print(f"{src} -> {dest}")
+    print("%s -> %s" % (src, dest))
    shutil.copytree(src, dest)
--- a/ci/check_installed_data.py
+++ b/ci/check_installed_data.py
@@ -1,36 +0,0 @@
 #!/usr/bin/env python
 # Check that installed package contains everything we expect
 from pathlib import Path
 import jupyterhub
 from jupyterhub._data import DATA_FILES_PATH
 print("Checking jupyterhub._data", end=" ")
 print(f"DATA_FILES_PATH={DATA_FILES_PATH}", end=" ")
 DATA_FILES_PATH = Path(DATA_FILES_PATH)
 assert DATA_FILES_PATH.is_dir(), DATA_FILES_PATH
 for subpath in (
    "templates/spawn.html",
    "static/css/style.min.css",
    "static/components/jquery/dist/jquery.js",
    "static/js/admin-react.js",
 ):
    path = DATA_FILES_PATH / subpath
    assert path.is_file(), path
 print("OK")
 print("Checking package_data", end=" ")
 jupyterhub_path = Path(jupyterhub.__file__).parent.resolve()
 for subpath in (
    "alembic.ini",
    "alembic/versions/833da8570507_rbac.py",
    "event-schemas/server-actions/v1.yaml",
    "singleuser/templates/page.html",
 ):
    path = jupyterhub_path / subpath
    assert path.is_file(), path
 print("OK")
--- a/ci/check_sdist.py
+++ b/ci/check_sdist.py
@@ -1,27 +0,0 @@
 #!/usr/bin/env python
 # Check that sdist contains everything we expect
 import sys
 import tarfile
 expected_files = [
    "docs/requirements.txt",
    "jsx/package.json",
    "package.json",
    "README.md",
 ]
 assert len(sys.argv) == 2, "Expected one file"
 print(f"Checking {sys.argv[1]}")
 tar = tarfile.open(name=sys.argv[1], mode="r:gz")
 try:
    # Remove leading jupyterhub-VERSION/
    filelist = {f.partition('/')[2] for f in tar.getnames()}
 finally:
    tar.close()
 for e in expected_files:
    assert e in filelist, f"{e} not found"
 print("OK")
--- a/ci/docker-db.sh
+++ b/ci/docker-db.sh
@@ -22,7 +22,7 @@ if [[ "$DB" == "mysql" ]]; then
    # ref server: https://hub.docker.com/_/mysql/
    # ref client: https://dev.mysql.com/doc/refman/5.7/en/setting-environment-variables.html
    #
-    DOCKER_RUN_ARGS="-p 3306:3306 --env MYSQL_ALLOW_EMPTY_PASSWORD=1 mysql:8.0"
+    DOCKER_RUN_ARGS="-p 3306:3306 --env MYSQL_ALLOW_EMPTY_PASSWORD=1 mysql:5.7"
    READINESS_CHECK="mysql --user root --execute \q"
 elif [[ "$DB" == "postgres" ]]; then
    # Environment variables can influence both the postgresql server in the
@@ -36,7 +36,7 @@ elif [[ "$DB" == "postgres" ]]; then
    # used by the postgresql client psql, so we configure the user based on how
    # we want to connect.
    #
-    DOCKER_RUN_ARGS="-p 5432:5432 --env "POSTGRES_USER=${PGUSER}" --env "POSTGRES_PASSWORD=${PGPASSWORD}" postgres:15.1"
+    DOCKER_RUN_ARGS="-p 5432:5432 --env "POSTGRES_USER=${PGUSER}" --env "POSTGRES_PASSWORD=${PGPASSWORD}" postgres:9.5"
    READINESS_CHECK="psql --command \q"
 else
    echo '$DB must be mysql or postgres'
--- a/ci/init-db.sh
+++ b/ci/init-db.sh
@@ -19,9 +19,8 @@ else
 fi
 # Configure a set of databases in the database server for upgrade tests
 # this list must be in sync with versions in test_db.py:test_upgrade
 set -x
-for SUFFIX in '' _upgrade_110 _upgrade_122 _upgrade_130 _upgrade_150 _upgrade_211; do
+for SUFFIX in '' _upgrade_072 _upgrade_081 _upgrade_094; do
    $SQL_CLIENT "DROP DATABASE jupyterhub${SUFFIX};" 2>/dev/null || true
    $SQL_CLIENT "CREATE DATABASE jupyterhub${SUFFIX} ${EXTRA_CREATE_DATABASE_ARGS:-};"
 done
--- a/dev-requirements.txt
+++ b/dev-requirements.txt
@@ -0,0 +1,20 @@
 -r requirements.txt
 # temporary pin of attrs for jsonschema 0.3.0a1
 # seems to be a pip bug
 attrs>=17.4.0
 beautifulsoup4
 codecov
 coverage
 cryptography
 html5lib  # needed for beautifulsoup
 mock
 notebook
 pre-commit
 pytest>=3.3
 pytest-asyncio
 pytest-cov
 requests-mock
 # blacklist urllib3 releases affected by https://github.com/urllib3/urllib3/issues/1683
 # I *think* this should only affect testing, not production
 urllib3!=1.25.4,!=1.25.5
 virtualenv
--- a/dockerfiles/Dockerfile.alpine
+++ b/dockerfiles/Dockerfile.alpine
@@ -0,0 +1,14 @@
 FROM alpine:3.13
 ENV LANG=en_US.UTF-8
 RUN apk add --no-cache \
        python3 \
        py3-pip \
        py3-ruamel.yaml \
        py3-cryptography \
        py3-sqlalchemy
 ARG JUPYTERHUB_VERSION=1.3.0
 RUN pip3 install --no-cache jupyterhub==${JUPYTERHUB_VERSION}
 USER nobody
 CMD ["jupyterhub"]
--- a/dockerfiles/README.md
+++ b/dockerfiles/README.md
@@ -0,0 +1,20 @@
 ## What is Dockerfile.alpine
 Dockerfile.alpine contains base image for jupyterhub. It does not work independently, but only as part of a full jupyterhub cluster
 ## How to use it?
 1. A running configurable-http-proxy, whose API is accessible.
 2. A jupyterhub_config file.
 3. Authentication and other libraries required by the specific jupyterhub_config file.
 ## Steps to test it outside a cluster
 - start configurable-http-proxy in another container
 - specify CONFIGPROXY_AUTH_TOKEN env in both containers
 - put both containers on the same network (e.g. docker network create jupyterhub; docker run ... --net jupyterhub)
 - tell jupyterhub where CHP is (e.g. c.ConfigurableHTTPProxy.api_url = 'http://chp:8001')
 - tell jupyterhub not to start the proxy itself (c.ConfigurableHTTPProxy.should_start = False)
 - Use dummy authenticator for ease of testing. Update following in jupyterhub_config file
  - c.JupyterHub.authenticator_class = 'dummyauthenticator.DummyAuthenticator'
  - c.DummyAuthenticator.password = "your strong password"
--- a/dockerfiles/test.py
+++ b/dockerfiles/test.py
@@ -4,11 +4,6 @@ from jupyterhub._data import DATA_FILES_PATH
 print(f"DATA_FILES_PATH={DATA_FILES_PATH}")
-for sub_path in (
+for sub_path in ("templates", "static/components", "static/css/style.min.css"):
    "templates",
    "static/components",
    "static/css/style.min.css",
    "static/js/admin-react.js",
 ):
    path = os.path.join(DATA_FILES_PATH, sub_path)
    assert os.path.exists(path), path
--- a/docs/Makefile
+++ b/docs/Makefile
@@ -1,62 +1,212 @@
-# Makefile for Sphinx documentation generated by sphinx-quickstart
+# Makefile for Sphinx documentation
-# ----------------------------------------------------------------------------
+#
-# You can set these variables from the command line, and also
+# You can set these variables from the command line.
-# from the environment for the first two.
+SPHINXOPTS    = "-W"
-SPHINXOPTS    ?= --color -W --keep-going
+SPHINXBUILD   = sphinx-build
-SPHINXBUILD   ?= sphinx-build
+PAPER         =
-SOURCEDIR     = source
+BUILDDIR      = build
-BUILDDIR      = _build
+
 # User-friendly check for sphinx-build
 ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1)
 $(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from http://sphinx-doc.org/)
 endif
 # Internal variables.
 PAPEROPT_a4     = -D latex_paper_size=a4
 PAPEROPT_letter = -D latex_paper_size=letter
 ALLSPHINXOPTS   = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) source
 # the i18n builder cannot share the environment and doctrees with the others
 I18NSPHINXOPTS  = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) source
 .PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest coverage gettext
 # Put it first so that "make" without argument is like "make help".
 help:
-	@$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS)
+	@echo "Please use \`make <target>' where <target> is one of"
 	@echo "  html       to make standalone HTML files"
 	@echo "  dirhtml    to make HTML files named index.html in directories"
 	@echo "  singlehtml to make a single large HTML file"
 	@echo "  pickle     to make pickle files"
 	@echo "  json       to make JSON files"
 	@echo "  htmlhelp   to make HTML files and a HTML help project"
 	@echo "  qthelp     to make HTML files and a qthelp project"
 	@echo "  applehelp  to make an Apple Help Book"
 	@echo "  devhelp    to make HTML files and a Devhelp project"
 	@echo "  epub       to make an epub"
 	@echo "  latex      to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
 	@echo "  latexpdf   to make LaTeX files and run them through pdflatex"
 	@echo "  latexpdfja to make LaTeX files and run them through platex/dvipdfmx"
 	@echo "  text       to make text files"
 	@echo "  man        to make manual pages"
 	@echo "  texinfo    to make Texinfo files"
 	@echo "  info       to make Texinfo files and run them through makeinfo"
 	@echo "  gettext    to make PO message catalogs"
 	@echo "  changes    to make an overview of all changed/added/deprecated items"
 	@echo "  xml        to make Docutils-native XML files"
 	@echo "  pseudoxml  to make pseudoxml-XML files for display purposes"
 	@echo "  linkcheck  to check all external links for integrity"
 	@echo "  doctest    to run all doctests embedded in the documentation (if enabled)"
 	@echo "  coverage   to run coverage check of the documentation (if enabled)"
 	@echo "  spelling   to run spell check on documentation"
 	@echo "  metrics    to generate documentation for metrics by inspecting the source code"
-.PHONY: help Makefile metrics scopes
+clean:
 	rm -rf $(BUILDDIR)/*
-# Catch-all target: route all unknown targets to Sphinx using the new
+node_modules: package.json
-# "make mode" option.
+	npm install && touch node_modules
 #
 # Several sphinx-build commands can be used through this, for example:
 #
 # - make clean
 # - make linkcheck
 # - make spelling
 #
 %: Makefile
 	@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS)
 rest-api: source/_static/rest-api/index.html
-# Manually added targets - related to code generation
+source/_static/rest-api/index.html: rest-api.yml node_modules
-# ----------------------------------------------------------------------------
+	npm run rest-api
-# For local development:
+metrics: source/reference/metrics.rst
-# - builds the html
+
-# - NOTE: If the pre-requisites for the html target is updated, also update the
+source/reference/metrics.rst: generate-metrics.py
-#         Read The Docs section in docs/source/conf.py.
+	python3 generate-metrics.py
-#
+
-html: metrics scopes
+html: rest-api metrics
-	$(SPHINXBUILD) -b html "$(SOURCEDIR)" "$(BUILDDIR)/html" $(SPHINXOPTS)
+	$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
 	@echo
 	@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
-metrics: source/reference/metrics.md
+dirhtml:
-source/reference/metrics.md:
+	$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
-	python3 generate-metrics.py
+	@echo
 	@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
-scopes: source/rbac/scope-table.md
+singlehtml:
-source/rbac/scope-table.md:
+	$(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml
-	python3 source/rbac/generate-scope-table.py
+	@echo
 	@echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."
 pickle:
 	$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
 	@echo
 	@echo "Build finished; now you can process the pickle files."
-# Manually added targets - related to development
+json:
-# ----------------------------------------------------------------------------
+	$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
 	@echo
 	@echo "Build finished; now you can process the JSON files."
-# For local development:
+htmlhelp:
-# - requires sphinx-autobuild, see
+	$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
-#   https://sphinxcontrib-spelling.readthedocs.io/en/latest/
+	@echo
-# - builds and rebuilds html on changes to source, but does not re-generate
+	@echo "Build finished; now you can run HTML Help Workshop with the" \
-#   metrics/scopes files
+	      ".hhp project file in $(BUILDDIR)/htmlhelp."
-# - starts a livereload enabled webserver and opens up a browser
+
-devenv: html
+qthelp:
-	sphinx-autobuild -b html --open-browser "$(SOURCEDIR)" "$(BUILDDIR)/html"
+	$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
 	@echo
 	@echo "Build finished; now you can run "qcollectiongenerator" with the" \
 	      ".qhcp project file in $(BUILDDIR)/qthelp, like this:"
 	@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/JupyterHub.qhcp"
 	@echo "To view the help file:"
 	@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/JupyterHub.qhc"
 applehelp:
 	$(SPHINXBUILD) -b applehelp $(ALLSPHINXOPTS) $(BUILDDIR)/applehelp
 	@echo
 	@echo "Build finished. The help book is in $(BUILDDIR)/applehelp."
 	@echo "N.B. You won't be able to view it unless you put it in" \
 	      "~/Library/Documentation/Help or install it in your application" \
 	      "bundle."
 devhelp:
 	$(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp
 	@echo
 	@echo "Build finished."
 	@echo "To view the help file:"
 	@echo "# mkdir -p $$HOME/.local/share/devhelp/JupyterHub"
 	@echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/JupyterHub"
 	@echo "# devhelp"
 epub:
 	$(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub
 	@echo
 	@echo "Build finished. The epub file is in $(BUILDDIR)/epub."
 latex:
 	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
 	@echo
 	@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
 	@echo "Run \`make' in that directory to run these through (pdf)latex" \
 	      "(use \`make latexpdf' here to do that automatically)."
 latexpdf:
 	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
 	@echo "Running LaTeX files through pdflatex..."
 	$(MAKE) -C $(BUILDDIR)/latex all-pdf
 	@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
 latexpdfja:
 	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
 	@echo "Running LaTeX files through platex and dvipdfmx..."
 	$(MAKE) -C $(BUILDDIR)/latex all-pdf-ja
 	@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
 text:
 	$(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
 	@echo
 	@echo "Build finished. The text files are in $(BUILDDIR)/text."
 man:
 	$(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man
 	@echo
 	@echo "Build finished. The manual pages are in $(BUILDDIR)/man."
 texinfo:
 	$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
 	@echo
 	@echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo."
 	@echo "Run \`make' in that directory to run these through makeinfo" \
 	      "(use \`make info' here to do that automatically)."
 info:
 	$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
 	@echo "Running Texinfo files through makeinfo..."
 	make -C $(BUILDDIR)/texinfo info
 	@echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo."
 gettext:
 	$(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale
 	@echo
 	@echo "Build finished. The message catalogs are in $(BUILDDIR)/locale."
 changes:
 	$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
 	@echo
 	@echo "The overview file is in $(BUILDDIR)/changes."
 linkcheck:
 	$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
 	@echo
 	@echo "Link check complete; look for any errors in the above output " \
 	      "or in $(BUILDDIR)/linkcheck/output.txt."
 spelling:
 	$(SPHINXBUILD) -b spelling $(ALLSPHINXOPTS) $(BUILDDIR)/spelling
 	@echo
 	@echo "Spell check complete; look for any errors in the above output " \
 	      "or in $(BUILDDIR)/spelling/output.txt."
 doctest:
 	$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
 	@echo "Testing of doctests in the sources finished, look at the " \
 	      "results in $(BUILDDIR)/doctest/output.txt."
 coverage:
 	$(SPHINXBUILD) -b coverage $(ALLSPHINXOPTS) $(BUILDDIR)/coverage
 	@echo "Testing of coverage in the sources finished, look at the " \
 	      "results in $(BUILDDIR)/coverage/python.txt."
 xml:
 	$(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml
 	@echo
 	@echo "Build finished. The XML files are in $(BUILDDIR)/xml."
 pseudoxml:
 	$(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml
 	@echo
 	@echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml."
--- a/docs/generate-metrics.py
+++ b/docs/generate-metrics.py
@@ -1,6 +1,8 @@
 import os
 from os.path import join
-from pytablewriter import MarkdownTableWriter
+from pytablewriter import RstSimpleTableWriter
 from pytablewriter.style import Style
 import jupyterhub.metrics
@@ -10,11 +12,12 @@ HERE = os.path.abspath(os.path.dirname(__file__))
 class Generator:
    @classmethod
    def create_writer(cls, table_name, headers, values):
-        writer = MarkdownTableWriter()
+        writer = RstSimpleTableWriter()
        writer.table_name = table_name
        writer.headers = headers
        writer.value_matrix = values
        writer.margin = 1
        [writer.set_style(header, Style(align="center")) for header in headers]
        return writer
    def _parse_metrics(self):
@@ -31,17 +34,18 @@ class Generator:
        if not os.path.exists(generated_directory):
            os.makedirs(generated_directory)
-        filename = f"{generated_directory}/metrics.md"
+        filename = f"{generated_directory}/metrics.rst"
        table_name = ""
        headers = ["Type", "Name", "Description"]
        values = self._parse_metrics()
        writer = self.create_writer(table_name, headers, values)
        title = "List of Prometheus Metrics"
        underline = "============================"
        content = f"{title}\n{underline}\n{writer.dumps()}"
        with open(filename, 'w') as f:
-            f.write("# List of Prometheus Metrics\n\n")
+            f.write(content)
-            f.write(writer.dumps())
+        print(f"Generated {filename}.")
            f.write("\n")
        print(f"Generated {filename}")
 def main():
--- a/docs/make.bat
+++ b/docs/make.bat
@@ -1,49 +1,263 @@
@ECHO OFF
 pushd %~dp0
 REM Command file for Sphinx documentation
 if "%SPHINXBUILD%" == "" (
 	set SPHINXBUILD=--color -W --keep-going
 )
 if "%SPHINXBUILD%" == "" (
 	set SPHINXBUILD=sphinx-build
 )
-set SOURCEDIR=source
+set BUILDDIR=build
-set BUILDDIR=_build
+set ALLSPHINXOPTS=-d %BUILDDIR%/doctrees %SPHINXOPTS% source
 set I18NSPHINXOPTS=%SPHINXOPTS% source
 if NOT "%PAPER%" == "" (
 	set ALLSPHINXOPTS=-D latex_paper_size=%PAPER% %ALLSPHINXOPTS%
 	set I18NSPHINXOPTS=-D latex_paper_size=%PAPER% %I18NSPHINXOPTS%
 )
 if "%1" == "" goto help
-if "%1" == "devenv" goto devenv
+
-goto default
+if "%1" == "help" (
 	:help
 	echo.Please use `make ^<target^>` where ^<target^> is one of
 	echo.  html       to make standalone HTML files
 	echo.  dirhtml    to make HTML files named index.html in directories
 	echo.  singlehtml to make a single large HTML file
 	echo.  pickle     to make pickle files
 	echo.  json       to make JSON files
 	echo.  htmlhelp   to make HTML files and a HTML help project
 	echo.  qthelp     to make HTML files and a qthelp project
 	echo.  devhelp    to make HTML files and a Devhelp project
 	echo.  epub       to make an epub
 	echo.  latex      to make LaTeX files, you can set PAPER=a4 or PAPER=letter
 	echo.  text       to make text files
 	echo.  man        to make manual pages
 	echo.  texinfo    to make Texinfo files
 	echo.  gettext    to make PO message catalogs
 	echo.  changes    to make an overview over all changed/added/deprecated items
 	echo.  xml        to make Docutils-native XML files
 	echo.  pseudoxml  to make pseudoxml-XML files for display purposes
 	echo.  linkcheck  to check all external links for integrity
 	echo.  doctest    to run all doctests embedded in the documentation if enabled
 	echo.  coverage   to run coverage check of the documentation if enabled
 	goto end
 )
 if "%1" == "clean" (
 	for /d %%i in (%BUILDDIR%\*) do rmdir /q /s %%i
 	del /q /s %BUILDDIR%\*
 	goto end
 )
-:default
+REM Check if sphinx-build is available and fallback to Python version if any
-%SPHINXBUILD% >NUL 2>NUL
+%SPHINXBUILD% 1>NUL 2>NUL
 if errorlevel 9009 goto sphinx_python
 goto sphinx_ok
 :sphinx_python
 set SPHINXBUILD=python -m sphinx.__init__
 %SPHINXBUILD% 2> nul
 if errorlevel 9009 (
 	echo.
-	echo.The 'sphinx-build' command was not found. Open and read README.md!
+	echo.The 'sphinx-build' command was not found. Make sure you have Sphinx
-	exit /b 1
+	echo.installed, then set the SPHINXBUILD environment variable to point
-)
+	echo.to the full path of the 'sphinx-build' executable. Alternatively you
-%SPHINXBUILD% -M %1 "%SOURCEDIR%" "%BUILDDIR%" %SPHINXOPTS%
+	echo.may add the Sphinx directory to PATH.
 goto end
 :help
 %SPHINXBUILD% -M help "%SOURCEDIR%" "%BUILDDIR%" %SPHINXOPTS%
 goto end
 :devenv
 sphinx-autobuild >NUL 2>NUL
 if errorlevel 9009 (
 	echo.
-	echo.The 'sphinx-autobuild' command was not found. Open and read README.md!
+	echo.If you don't have Sphinx installed, grab it from
 	echo.http://sphinx-doc.org/
 	exit /b 1
 )
 sphinx-autobuild -b html --open-browser "%SOURCEDIR%" "%BUILDDIR%/html"
 goto end
 :sphinx_ok
 if "%1" == "html" (
 	%SPHINXBUILD% -b html %ALLSPHINXOPTS% %BUILDDIR%/html
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished. The HTML pages are in %BUILDDIR%/html.
 	goto end
 )
 if "%1" == "dirhtml" (
 	%SPHINXBUILD% -b dirhtml %ALLSPHINXOPTS% %BUILDDIR%/dirhtml
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished. The HTML pages are in %BUILDDIR%/dirhtml.
 	goto end
 )
 if "%1" == "singlehtml" (
 	%SPHINXBUILD% -b singlehtml %ALLSPHINXOPTS% %BUILDDIR%/singlehtml
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished. The HTML pages are in %BUILDDIR%/singlehtml.
 	goto end
 )
 if "%1" == "pickle" (
 	%SPHINXBUILD% -b pickle %ALLSPHINXOPTS% %BUILDDIR%/pickle
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished; now you can process the pickle files.
 	goto end
 )
 if "%1" == "json" (
 	%SPHINXBUILD% -b json %ALLSPHINXOPTS% %BUILDDIR%/json
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished; now you can process the JSON files.
 	goto end
 )
 if "%1" == "htmlhelp" (
 	%SPHINXBUILD% -b htmlhelp %ALLSPHINXOPTS% %BUILDDIR%/htmlhelp
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished; now you can run HTML Help Workshop with the ^
 .hhp project file in %BUILDDIR%/htmlhelp.
 	goto end
 )
 if "%1" == "qthelp" (
 	%SPHINXBUILD% -b qthelp %ALLSPHINXOPTS% %BUILDDIR%/qthelp
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished; now you can run "qcollectiongenerator" with the ^
 .qhcp project file in %BUILDDIR%/qthelp, like this:
 	echo.^> qcollectiongenerator %BUILDDIR%\qthelp\JupyterHub.qhcp
 	echo.To view the help file:
 	echo.^> assistant -collectionFile %BUILDDIR%\qthelp\JupyterHub.ghc
 	goto end
 )
 if "%1" == "devhelp" (
 	%SPHINXBUILD% -b devhelp %ALLSPHINXOPTS% %BUILDDIR%/devhelp
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished.
 	goto end
 )
 if "%1" == "epub" (
 	%SPHINXBUILD% -b epub %ALLSPHINXOPTS% %BUILDDIR%/epub
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished. The epub file is in %BUILDDIR%/epub.
 	goto end
 )
 if "%1" == "latex" (
 	%SPHINXBUILD% -b latex %ALLSPHINXOPTS% %BUILDDIR%/latex
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished; the LaTeX files are in %BUILDDIR%/latex.
 	goto end
 )
 if "%1" == "latexpdf" (
 	%SPHINXBUILD% -b latex %ALLSPHINXOPTS% %BUILDDIR%/latex
 	cd %BUILDDIR%/latex
 	make all-pdf
 	cd %~dp0
 	echo.
 	echo.Build finished; the PDF files are in %BUILDDIR%/latex.
 	goto end
 )
 if "%1" == "latexpdfja" (
 	%SPHINXBUILD% -b latex %ALLSPHINXOPTS% %BUILDDIR%/latex
 	cd %BUILDDIR%/latex
 	make all-pdf-ja
 	cd %~dp0
 	echo.
 	echo.Build finished; the PDF files are in %BUILDDIR%/latex.
 	goto end
 )
 if "%1" == "text" (
 	%SPHINXBUILD% -b text %ALLSPHINXOPTS% %BUILDDIR%/text
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished. The text files are in %BUILDDIR%/text.
 	goto end
 )
 if "%1" == "man" (
 	%SPHINXBUILD% -b man %ALLSPHINXOPTS% %BUILDDIR%/man
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished. The manual pages are in %BUILDDIR%/man.
 	goto end
 )
 if "%1" == "texinfo" (
 	%SPHINXBUILD% -b texinfo %ALLSPHINXOPTS% %BUILDDIR%/texinfo
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished. The Texinfo files are in %BUILDDIR%/texinfo.
 	goto end
 )
 if "%1" == "gettext" (
 	%SPHINXBUILD% -b gettext %I18NSPHINXOPTS% %BUILDDIR%/locale
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished. The message catalogs are in %BUILDDIR%/locale.
 	goto end
 )
 if "%1" == "changes" (
 	%SPHINXBUILD% -b changes %ALLSPHINXOPTS% %BUILDDIR%/changes
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.The overview file is in %BUILDDIR%/changes.
 	goto end
 )
 if "%1" == "linkcheck" (
 	%SPHINXBUILD% -b linkcheck %ALLSPHINXOPTS% %BUILDDIR%/linkcheck
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Link check complete; look for any errors in the above output ^
 or in %BUILDDIR%/linkcheck/output.txt.
 	goto end
 )
 if "%1" == "doctest" (
 	%SPHINXBUILD% -b doctest %ALLSPHINXOPTS% %BUILDDIR%/doctest
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Testing of doctests in the sources finished, look at the ^
 results in %BUILDDIR%/doctest/output.txt.
 	goto end
 )
 if "%1" == "coverage" (
 	%SPHINXBUILD% -b coverage %ALLSPHINXOPTS% %BUILDDIR%/coverage
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Testing of coverage in the sources finished, look at the ^
 results in %BUILDDIR%/coverage/python.txt.
 	goto end
 )
 if "%1" == "xml" (
 	%SPHINXBUILD% -b xml %ALLSPHINXOPTS% %BUILDDIR%/xml
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished. The XML files are in %BUILDDIR%/xml.
 	goto end
 )
 if "%1" == "pseudoxml" (
 	%SPHINXBUILD% -b pseudoxml %ALLSPHINXOPTS% %BUILDDIR%/pseudoxml
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished. The pseudo-XML files are in %BUILDDIR%/pseudoxml.
 	goto end
 )
 :end
 popd
--- a/docs/package.json
+++ b/docs/package.json
@@ -0,0 +1,14 @@
 {
  "name": "jupyterhub-docs-build",
  "version": "0.8.0",
  "description": "build JupyterHub swagger docs",
  "scripts": {
    "rest-api": "bootprint openapi ./rest-api.yml source/_static/rest-api"
  },
  "author": "",
  "license": "BSD-3-Clause",
  "devDependencies": {
    "bootprint": "^1.0.0",
    "bootprint-openapi": "^1.0.0"
  }
 }
--- a/docs/requirements.txt
+++ b/docs/requirements.txt
@@ -1,21 +1,12 @@
-# We install the jupyterhub package to help autodoc-traits inspect it and
+-r ../requirements.txt
 # generate documentation.
 #
 # FIXME: If there is a way for this requirements.txt file to pass a flag that
 #        the build system can intercept to not build the javascript artifacts,
 #        then do so so. That would mean that installing the documentation can
 #        avoid needing node/npm installed.
 #
 --editable .
-autodoc-traits
+alabaster_jupyterhub
-jupyterhub-sphinx-theme
+# Temporary fix of #3021. Revert back to released autodoc-traits when
-myst-parser>=0.19
+# 0.1.0 released.
-pre-commit
+https://github.com/jupyterhub/autodoc-traits/archive/d22282c1c18c6865436e06d8b329c06fe12a07f8.zip
 pydata-sphinx-theme
 pytablewriter>=0.56
-ruamel.yaml
+recommonmark>=0.6
-sphinx>=4
+sphinx>=1.7
 sphinx-copybutton
 sphinx-jsonschema
 sphinxext-opengraph
 sphinxext-rediraffe
--- a/docs/rest-api.yml
+++ b/docs/rest-api.yml
@@ -0,0 +1,893 @@
 # see me at: https://petstore3.swagger.io/?url=https://raw.githubusercontent.com/jupyterhub/jupyterhub/HEAD/docs/rest-api.yml#/default
 swagger: "2.0"
 info:
  title: JupyterHub
  description: The REST API for JupyterHub
  version: 1.4.0
  license:
    name: BSD-3-Clause
 schemes: [http, https]
 securityDefinitions:
  token:
    type: apiKey
    name: Authorization
    in: header
 security:
  - token: []
 basePath: /hub/api
 produces:
  - application/json
 consumes:
  - application/json
 paths:
  /:
    get:
      summary: Get JupyterHub version
      description: |
        This endpoint is not authenticated for the purpose of clients and user
        to identify the JupyterHub version before setting up authentication.
      responses:
        "200":
          description: The JupyterHub version
          schema:
            type: object
            properties:
              version:
                type: string
                description: The version of JupyterHub itself
  /info:
    get:
      summary: Get detailed info about JupyterHub
      description: |
        Detailed JupyterHub information, including Python version,
        JupyterHub's version and executable path,
        and which Authenticator and Spawner are active.
      responses:
        "200":
          description: Detailed JupyterHub info
          schema:
            type: object
            properties:
              version:
                type: string
                description: The version of JupyterHub itself
              python:
                type: string
                description: The Python version, as returned by sys.version
              sys_executable:
                type: string
                description: The path to sys.executable running JupyterHub
              authenticator:
                type: object
                properties:
                  class:
                    type: string
                    description: The Python class currently active for JupyterHub Authentication
                  version:
                    type: string
                    description: The version of the currently active Authenticator
              spawner:
                type: object
                properties:
                  class:
                    type: string
                    description: The Python class currently active for spawning single-user notebook servers
                  version:
                    type: string
                    description: The version of the currently active Spawner
  /users:
    get:
      summary: List users
      parameters:
        - name: state
          in: query
          required: false
          type: string
          enum: ["inactive", "active", "ready"]
          description: |
            Return only users who have servers in the given state.
            If unspecified, return all users.
            active: all users with any active servers (ready OR pending)
            ready: all users who have any ready servers (running, not pending)
            inactive: all users who have *no* active servers (complement of active)
            Added in JupyterHub 1.3
      responses:
        "200":
          description: The Hub's user list
          schema:
            type: array
            items:
              $ref: "#/definitions/User"
    post:
      summary: Create multiple users
      parameters:
        - name: body
          in: body
          required: true
          schema:
            type: object
            properties:
              usernames:
                type: array
                description: list of usernames to create on the Hub
                items:
                  type: string
              admin:
                description: whether the created users should be admins
                type: boolean
      responses:
        "201":
          description: The users have been created
          schema:
            type: array
            description: The created users
            items:
              $ref: "#/definitions/User"
  /users/{name}:
    get:
      summary: Get a user by name
      parameters:
        - name: name
          description: username
          in: path
          required: true
          type: string
      responses:
        "200":
          description: The User model
          schema:
            $ref: "#/definitions/User"
    post:
      summary: Create a single user
      parameters:
        - name: name
          description: username
          in: path
          required: true
          type: string
      responses:
        "201":
          description: The user has been created
          schema:
            $ref: "#/definitions/User"
    patch:
      summary: Modify a user
      description: Change a user's name or admin status
      parameters:
        - name: name
          description: username
          in: path
          required: true
          type: string
        - name: body
          in: body
          required: true
          description: Updated user info. At least one key to be updated (name or admin) is required.
          schema:
            type: object
            properties:
              name:
                type: string
                description: the new name (optional, if another key is updated i.e. admin)
              admin:
                type: boolean
                description: update admin (optional, if another key is updated i.e. name)
      responses:
        "200":
          description: The updated user info
          schema:
            $ref: "#/definitions/User"
    delete:
      summary: Delete a user
      parameters:
        - name: name
          description: username
          in: path
          required: true
          type: string
      responses:
        "204":
          description: The user has been deleted
  /users/{name}/activity:
    post:
      summary: Notify Hub of activity for a given user.
      description: Notify the Hub of activity by the user,
        e.g. accessing a service or (more likely)
        actively using a server.
      parameters:
        - name: name
          description: username
          in: path
          required: true
          type: string
        - name: body
          in: body
          schema:
            type: object
            properties:
              last_activity:
                type: string
                format: date-time
                description: |
                  Timestamp of last-seen activity for this user.
                  Only needed if this is not activity associated
                  with using a given server.
              servers:
                description: |
                  Register activity for specific servers by name.
                  The keys of this dict are the names of servers.
                  The default server has an empty name ('').
                type: object
                properties:
                  "<server name>":
                    description: |
                      Activity for a single server.
                    type: object
                    required:
                      - last_activity
                    properties:
                      last_activity:
                        type: string
                        format: date-time
                        description: |
                          Timestamp of last-seen activity on this server.
            example:
              last_activity: "2019-02-06T12:54:14Z"
              servers:
                "":
                  last_activity: "2019-02-06T12:54:14Z"
                gpu:
                  last_activity: "2019-02-06T12:54:14Z"
      responses:
        "401":
          $ref: "#/responses/Unauthorized"
        "404":
          description: No such user
  /users/{name}/server:
    post:
      summary: Start a user's single-user notebook server
      parameters:
        - name: name
          description: username
          in: path
          required: true
          type: string
        - name: options
          description: |
            Spawn options can be passed as a JSON body
            when spawning via the API instead of spawn form.
            The structure of the options
            will depend on the Spawner's configuration.
            The body itself will be available as `user_options` for the
            Spawner.
          in: body
          required: false
          schema:
            type: object
      responses:
        "201":
          description: The user's notebook server has started
        "202":
          description: The user's notebook server has not yet started, but has been requested
    delete:
      summary: Stop a user's server
      parameters:
        - name: name
          description: username
          in: path
          required: true
          type: string
      responses:
        "204":
          description: The user's notebook server has stopped
        "202":
          description: The user's notebook server has not yet stopped as it is taking a while to stop
  /users/{name}/servers/{server_name}:
    post:
      summary: Start a user's single-user named-server notebook server
      parameters:
        - name: name
          description: username
          in: path
          required: true
          type: string
        - name: server_name
          description: |
            name given to a named-server.
            Note that depending on your JupyterHub infrastructure there are chracterter size limitation to `server_name`. Default spawner with K8s pod will not allow Jupyter Notebooks to be spawned with a name that contains more than 253 characters (keep in mind that the pod will be spawned with extra characters to identify the user and hub).
          in: path
          required: true
          type: string
        - name: options
          description: |
            Spawn options can be passed as a JSON body
            when spawning via the API instead of spawn form.
            The structure of the options
            will depend on the Spawner's configuration.
          in: body
          required: false
          schema:
            type: object
      responses:
        "201":
          description: The user's notebook named-server has started
        "202":
          description: The user's notebook named-server has not yet started, but has been requested
    delete:
      summary: Stop a user's named-server
      parameters:
        - name: name
          description: username
          in: path
          required: true
          type: string
        - name: server_name
          description: name given to a named-server
          in: path
          required: true
          type: string
        - name: body
          in: body
          required: false
          schema:
            type: object
            properties:
              remove:
                type: boolean
                description: |
                  Whether to fully remove the server, rather than just stop it.
                  Removing a server deletes things like the state of the stopped server.
                  Default: false.
      responses:
        "204":
          description: The user's notebook named-server has stopped
        "202":
          description: The user's notebook named-server has not yet stopped as it is taking a while to stop
  /users/{name}/tokens:
    parameters:
      - name: name
        description: username
        in: path
        required: true
        type: string
    get:
      summary: List tokens for the user
      responses:
        "200":
          description: The list of tokens
          schema:
            type: array
            items:
              $ref: "#/definitions/Token"
        "401":
          $ref: "#/responses/Unauthorized"
        "404":
          description: No such user
    post:
      summary: Create a new token for the user
      parameters:
        - name: token_params
          in: body
          required: false
          schema:
            type: object
            properties:
              expires_in:
                type: number
                description: lifetime (in seconds) after which the requested token will expire.
              note:
                type: string
                description: A note attached to the token for future bookkeeping
      responses:
        "201":
          description: The newly created token
          schema:
            $ref: "#/definitions/Token"
        "400":
          description: Body must be a JSON dict or empty
  /users/{name}/tokens/{token_id}:
    parameters:
      - name: name
        description: username
        in: path
        required: true
        type: string
      - name: token_id
        in: path
        required: true
        type: string
    get:
      summary: Get the model for a token by id
      responses:
        "200":
          description: The info for the new token
          schema:
            $ref: "#/definitions/Token"
    delete:
      summary: Delete (revoke) a token by id
      responses:
        "204":
          description: The token has been deleted
  /user:
    get:
      summary: Return authenticated user's model
      responses:
        "200":
          description: The authenticated user's model is returned.
          schema:
            $ref: "#/definitions/User"
  /groups:
    get:
      summary: List groups
      responses:
        "200":
          description: The list of groups
          schema:
            type: array
            items:
              $ref: "#/definitions/Group"
  /groups/{name}:
    get:
      summary: Get a group by name
      parameters:
        - name: name
          description: group name
          in: path
          required: true
          type: string
      responses:
        "200":
          description: The group model
          schema:
            $ref: "#/definitions/Group"
    post:
      summary: Create a group
      parameters:
        - name: name
          description: group name
          in: path
          required: true
          type: string
      responses:
        "201":
          description: The group has been created
          schema:
            $ref: "#/definitions/Group"
    delete:
      summary: Delete a group
      parameters:
        - name: name
          description: group name
          in: path
          required: true
          type: string
      responses:
        "204":
          description: The group has been deleted
  /groups/{name}/users:
    post:
      summary: Add users to a group
      parameters:
        - name: name
          description: group name
          in: path
          required: true
          type: string
        - name: body
          in: body
          required: true
          description: The users to add to the group
          schema:
            type: object
            properties:
              users:
                type: array
                description: List of usernames to add to the group
                items:
                  type: string
      responses:
        "200":
          description: The users have been added to the group
          schema:
            $ref: "#/definitions/Group"
    delete:
      summary: Remove users from a group
      parameters:
        - name: name
          description: group name
          in: path
          required: true
          type: string
        - name: body
          in: body
          required: true
          description: The users to remove from the group
          schema:
            type: object
            properties:
              users:
                type: array
                description: List of usernames to remove from the group
                items:
                  type: string
      responses:
        "200":
          description: The users have been removed from the group
  /services:
    get:
      summary: List services
      responses:
        "200":
          description: The service list
          schema:
            type: array
            items:
              $ref: "#/definitions/Service"
  /services/{name}:
    get:
      summary: Get a service by name
      parameters:
        - name: name
          description: service name
          in: path
          required: true
          type: string
      responses:
        "200":
          description: The Service model
          schema:
            $ref: "#/definitions/Service"
  /proxy:
    get:
      summary: Get the proxy's routing table
      description: A convenience alias for getting the routing table directly from the proxy
      responses:
        "200":
          description: Routing table
          schema:
            type: object
            description: configurable-http-proxy routing table (see configurable-http-proxy docs for details)
    post:
      summary: Force the Hub to sync with the proxy
      responses:
        "200":
          description: Success
    patch:
      summary: Notify the Hub about a new proxy
      description: Notifies the Hub of a new proxy to use.
      parameters:
        - name: body
          in: body
          required: true
          description: Any values that have changed for the new proxy. All keys are optional.
          schema:
            type: object
            properties:
              ip:
                type: string
                description: IP address of the new proxy
              port:
                type: string
                description: Port of the new proxy
              protocol:
                type: string
                description: Protocol of new proxy, if changed
              auth_token:
                type: string
                description: CONFIGPROXY_AUTH_TOKEN for the new proxy
      responses:
        "200":
          description: Success
  /authorizations/token:
    post:
      summary: Request a new API token
      description: |
        Request a new API token to use with the JupyterHub REST API.
        If not already authenticated, username and password can be sent
        in the JSON request body.
        Logging in via this method is only available when the active Authenticator
        accepts passwords (e.g. not OAuth).
      parameters:
        - name: credentials
          in: body
          schema:
            type: object
            properties:
              username:
                type: string
              password:
                type: string
      responses:
        "200":
          description: The new API token
          schema:
            type: object
            properties:
              token:
                type: string
                description: The new API token.
        "403":
          description: The user can not be authenticated.
  /authorizations/token/{token}:
    get:
      summary: Identify a user or service from an API token
      parameters:
        - name: token
          in: path
          required: true
          type: string
      responses:
        "200":
          description: The user or service identified by the API token
        "404":
          description: A user or service is not found.
  /authorizations/cookie/{cookie_name}/{cookie_value}:
    get:
      summary: Identify a user from a cookie
      description: Used by single-user notebook servers to hand off cookie authentication to the Hub
      parameters:
        - name: cookie_name
          in: path
          required: true
          type: string
        - name: cookie_value
          in: path
          required: true
          type: string
      responses:
        "200":
          description: The user identified by the cookie
          schema:
            $ref: "#/definitions/User"
        "404":
          description: A user is not found.
  /oauth2/authorize:
    get:
      summary: "OAuth 2.0 authorize endpoint"
      description: |
        Redirect users to this URL to begin the OAuth process.
        It is not an API endpoint.
      parameters:
        - name: client_id
          description: The client id
          in: query
          required: true
          type: string
        - name: response_type
          description: The response type (always 'code')
          in: query
          required: true
          type: string
        - name: state
          description: A state string
          in: query
          required: false
          type: string
        - name: redirect_uri
          description: The redirect url
          in: query
          required: true
          type: string
      responses:
        "200":
          description: Success
        "400":
          description: OAuth2Error
  /oauth2/token:
    post:
      summary: Request an OAuth2 token
      description: |
        Request an OAuth2 token from an authorization code.
        This request completes the OAuth process.
      consumes:
        - application/x-www-form-urlencoded
      parameters:
        - name: client_id
          description: The client id
          in: formData
          required: true
          type: string
        - name: client_secret
          description: The client secret
          in: formData
          required: true
          type: string
        - name: grant_type
          description: The grant type (always 'authorization_code')
          in: formData
          required: true
          type: string
        - name: code
          description: The code provided by the authorization redirect
          in: formData
          required: true
          type: string
        - name: redirect_uri
          description: The redirect url
          in: formData
          required: true
          type: string
      responses:
        "200":
          description: JSON response including the token
          schema:
            type: object
            properties:
              access_token:
                type: string
                description: The new API token for the user
              token_type:
                type: string
                description: Will always be 'Bearer'
  /shutdown:
    post:
      summary: Shutdown the Hub
      parameters:
        - name: body
          in: body
          schema:
            type: object
            properties:
              proxy:
                type: boolean
                description: Whether the proxy should be shutdown as well (default from Hub config)
              servers:
                type: boolean
                description: Whether users' notebook servers should be shutdown as well (default from Hub config)
      responses:
        "202":
          description: Shutdown successful
        "400":
          description: Unexpeced value for proxy or servers
 # Descriptions of common responses
 responses:
  NotFound:
    description: The specified resource was not found
  Unauthorized:
    description: Authentication/Authorization error
 definitions:
  User:
    type: object
    properties:
      name:
        type: string
        description: The user's name
      admin:
        type: boolean
        description: Whether the user is an admin
      groups:
        type: array
        description: The names of groups where this user is a member
        items:
          type: string
      server:
        type: string
        description: The user's notebook server's base URL, if running; null if not.
      pending:
        type: string
        enum: ["spawn", "stop", null]
        description: The currently pending action, if any
      last_activity:
        type: string
        format: date-time
        description: Timestamp of last-seen activity from the user
      servers:
        type: array
        description: The active servers for this user.
        items:
          $ref: "#/definitions/Server"
  Server:
    type: object
    properties:
      name:
        type: string
        description: The server's name. The user's default server has an empty name ('')
      ready:
        type: boolean
        description: |
          Whether the server is ready for traffic.
          Will always be false when any transition is pending.
      pending:
        type: string
        enum: ["spawn", "stop", null]
        description: |
          The currently pending action, if any.
          A server is not ready if an action is pending.
      url:
        type: string
        description: |
          The URL where the server can be accessed
          (typically /user/:name/:server.name/).
      progress_url:
        type: string
        description: |
          The URL for an event-stream to retrieve events during a spawn.
      started:
        type: string
        format: date-time
        description: UTC timestamp when the server was last started.
      last_activity:
        type: string
        format: date-time
        description: UTC timestamp last-seen activity on this server.
      state:
        type: object
        description: Arbitrary internal state from this server's spawner.  Only available on the hub's users list or get-user-by-name method, and only if a hub admin.  None otherwise.
      user_options:
        type: object
        description: User specified options for the user's spawned instance of a single-user server.
  Group:
    type: object
    properties:
      name:
        type: string
        description: The group's name
      users:
        type: array
        description: The names of users who are members of this group
        items:
          type: string
  Service:
    type: object
    properties:
      name:
        type: string
        description: The service's name
      admin:
        type: boolean
        description: Whether the service is an admin
      url:
        type: string
        description: The internal url where the service is running
      prefix:
        type: string
        description: The proxied URL prefix to the service's url
      pid:
        type: number
        description: The PID of the service process (if managed)
      command:
        type: array
        description: The command used to start the service (if managed)
        items:
          type: string
      info:
        type: object
        description: |
          Additional information a deployment can attach to a service.
          JupyterHub does not use this field.
  Token:
    type: object
    properties:
      token:
        type: string
        description: The token itself. Only present in responses to requests for a new token.
      id:
        type: string
        description: The id of the API token. Used for modifying or deleting the token.
      user:
        type: string
        description: The user that owns a token (undefined if owned by a service)
      service:
        type: string
        description: The service that owns the token (undefined if owned by a user)
      note:
        type: string
        description: A note about the token, typically describing what it was created for.
      created:
        type: string
        format: date-time
        description: Timestamp when this token was created
      expires_at:
        type: string
        format: date-time
        description: Timestamp when this token expires. Null if there is no expiry.
      last_activity:
        type: string
        format: date-time
        description: |
          Timestamp of last-seen activity using this token.
          Can be null if token has never been used.
--- a/docs/source/_static/custom.css
+++ b/docs/source/_static/custom.css
@@ -2,9 +2,3 @@
 .navbar-brand {
  height: 4rem !important;
 }
 /* hide redundant funky-formatted swagger-ui version */
 .swagger-ui .info .title small {
  display: none !important;
 }
--- a/docs/source/_static/rest-api.yml
+++ b/docs/source/_static/rest-api.yml
--- a/docs/source/admin/upgrading.rst
+++ b/docs/source/admin/upgrading.rst
@@ -0,0 +1,159 @@
 .. _admin/upgrading:
 ====================
 Upgrading JupyterHub
 ====================
 JupyterHub offers easy upgrade pathways between minor versions. This
 document describes how to do these upgrades.
 If you are using :ref:`a JupyterHub distribution <index/distributions>`, you
 should consult the distribution's documentation on how to upgrade. This
 document is if you have set up your own JupyterHub without using a
 distribution.
 It is long because is pretty detailed! Most likely, upgrading
 JupyterHub is painless, quick and with minimal user interruption.
 Read the Changelog
 ==================
 The `changelog <../changelog.html>`_ contains information on what has
 changed with the new JupyterHub release, and any deprecation warnings.
 Read these notes to familiarize yourself with the coming changes. There
 might be new releases of authenticators & spawners you are using, so
 read the changelogs for those too!
 Notify your users
 =================
 If you are using the default configuration where ``configurable-http-proxy``
 is managed by JupyterHub, your users will see service disruption during
 the upgrade process. You should notify them, and pick a time to do the
 upgrade where they will be least disrupted.
 If you are using a different proxy, or running ``configurable-http-proxy``
 independent of JupyterHub, your users will be able to continue using notebook
 servers they had already launched, but will not be able to launch new servers
 nor sign in.
 Backup database & config
 ========================
 Before doing an upgrade, it is critical to back up:
 #. Your JupyterHub database (sqlite by default, or MySQL / Postgres
   if you used those). If you are using sqlite (the default), you
   should backup the ``jupyterhub.sqlite`` file.
 #. Your ``jupyterhub_config.py`` file.
 #. Your user's home directories. This is unlikely to be affected directly by
   a JupyterHub upgrade, but we recommend a backup since user data is very
   critical.
 Shutdown JupyterHub
 ===================
 Shutdown the JupyterHub process. This would vary depending on how you
 have set up JupyterHub to run. Most likely, it is using a process
 supervisor of some sort (``systemd`` or ``supervisord`` or even ``docker``).
 Use the supervisor specific command to stop the JupyterHub process.
 Upgrade JupyterHub packages
 ===========================
 There are two environments where the ``jupyterhub`` package is installed:
 #. The *hub environment*, which is where the JupyterHub server process
   runs. This is started with the ``jupyterhub`` command, and is what
   people generally think of as JupyterHub.
 #. The *notebook user environments*. This is where the user notebook
   servers are launched from, and is probably custom to your own
   installation. This could be just one environment (different from the
   hub environment) that is shared by all users, one environment
   per user, or same environment as the hub environment. The hub
   launched the ``jupyterhub-singleuser`` command in this environment,
   which in turn starts the notebook server.
 You need to make sure the version of the ``jupyterhub`` package matches
 in both these environments. If you installed ``jupyterhub`` with pip,
 you can upgrade it with:
 .. code-block:: bash
   python3 -m pip install --upgrade jupyterhub==<version>
 Where ``<version>`` is the version of JupyterHub you are upgrading to.
 If you used ``conda`` to install ``jupyterhub``, you should upgrade it
 with:
 .. code-block:: bash
   conda install -c conda-forge jupyterhub==<version>
 Where ``<version>`` is the version of JupyterHub you are upgrading to.
 You should also check for new releases of the authenticator & spawner you
 are using. You might wish to upgrade those packages too along with JupyterHub,
 or upgrade them separately.
 Upgrade JupyterHub database
 ===========================
 Once new packages are installed, you need to upgrade the JupyterHub
 database. From the hub environment, in the same directory as your
 ``jupyterhub_config.py`` file, you should run:
 .. code-block:: bash
   jupyterhub upgrade-db
 This should find the location of your database, and run necessary upgrades
 for it.
 SQLite database disadvantages
 -----------------------------
 SQLite has some disadvantages when it comes to upgrading JupyterHub. These
 are:
 -  ``upgrade-db`` may not work, and you may need delete your database
   and start with a fresh one.
 -  ``downgrade-db`` **will not** work if you want to rollback to an
   earlier version, so backup the ``jupyterhub.sqlite`` file before
   upgrading
 What happens if I delete my database?
 -------------------------------------
 Losing the Hub database is often not a big deal. Information that
 resides only in the Hub database includes:
 -  active login tokens (user cookies, service tokens)
 -  users added via JupyterHub UI, instead of config files
 -  info about running servers
 If the following conditions are true, you should be fine clearing the
 Hub database and starting over:
 -  users specified in config file, or login using an external
   authentication provider (Google, GitHub, LDAP, etc)
 -  user servers are stopped during upgrade
 -  don't mind causing users to login again after upgrade
 Start JupyterHub
 ================
 Once the database upgrade is completed, start the ``jupyterhub``
 process again.
 #. Log-in and start the server to make sure things work as
   expected.
 #. Check the logs for any errors or deprecation warnings. You
   might have to update your ``jupyterhub_config.py`` file to
   deal with any deprecated options.
 Congratulations, your JupyterHub has been upgraded!
--- a/docs/source/api/app.rst
+++ b/docs/source/api/app.rst
@@ -0,0 +1,15 @@
 =========================
 Application configuration
 =========================
 Module: :mod:`jupyterhub.app`
 =============================
 .. automodule:: jupyterhub.app
 .. currentmodule:: jupyterhub.app
 :class:`JupyterHub`
 -------------------
 .. autoconfigurable:: JupyterHub
--- a/docs/source/api/auth.rst
+++ b/docs/source/api/auth.rst
@@ -0,0 +1,32 @@
 ==============
 Authenticators
 ==============
 Module: :mod:`jupyterhub.auth`
 ==============================
 .. automodule:: jupyterhub.auth
 .. currentmodule:: jupyterhub.auth
 :class:`Authenticator`
 ----------------------
 .. autoconfigurable:: Authenticator
    :members:
 :class:`LocalAuthenticator`
 ---------------------------
 .. autoconfigurable:: LocalAuthenticator
    :members:
 :class:`PAMAuthenticator`
 -------------------------
 .. autoconfigurable:: PAMAuthenticator
 :class:`DummyAuthenticator`
 ---------------------------
 .. autoconfigurable:: DummyAuthenticator
--- a/docs/source/api/index.rst
+++ b/docs/source/api/index.rst
@@ -0,0 +1,38 @@
 .. _api-index:
 ##############
 JupyterHub API
 ##############
 :Release: |release|
 :Date: |today|
 JupyterHub also provides a REST API for administration of the Hub and users.
 The documentation on `Using JupyterHub's REST API <../reference/rest.html>`_ provides
 information on:
 - what you can do with the API
 - creating an API token
 - adding API tokens to the config files
 - making an API request programmatically using the requests library
 - learning more about JupyterHub's API
 The same JupyterHub API spec, as found here, is available in an interactive form
 `here (on swagger's petstore) <https://petstore3.swagger.io/?url=https://raw.githubusercontent.com/jupyterhub/jupyterhub/HEAD/docs/rest-api.yml#!/default>`__.
 The `OpenAPI Initiative`_ (fka Swagger™) is a project used to describe
 and document RESTful APIs.
 JupyterHub API Reference:
 .. toctree::
    app
    auth
    spawner
    proxy
    user
    service
    services.auth
 .. _OpenAPI Initiative: https://www.openapis.org/
--- a/docs/source/api/proxy.rst
+++ b/docs/source/api/proxy.rst
@@ -0,0 +1,22 @@
 =======
 Proxies
 =======
 Module: :mod:`jupyterhub.proxy`
 ===============================
 .. automodule:: jupyterhub.proxy
 .. currentmodule:: jupyterhub.proxy
 :class:`Proxy`
 --------------
 .. autoconfigurable:: Proxy
    :members:
 :class:`ConfigurableHTTPProxy`
 ------------------------------
 .. autoconfigurable:: ConfigurableHTTPProxy
    :members: debug, auth_token, check_running_interval, api_url, command
--- a/docs/source/api/service.rst
+++ b/docs/source/api/service.rst
@@ -0,0 +1,16 @@
 ========
 Services
 ========
 Module: :mod:`jupyterhub.services.service`
 ==========================================
 .. automodule:: jupyterhub.services.service
 .. currentmodule:: jupyterhub.services.service
 :class:`Service`
 ----------------
 .. autoconfigurable:: Service
    :members: name, admin, url, api_token, managed, kind, command, cwd, environment, user, oauth_client_id, server, prefix, proxy_spec
--- a/docs/source/api/services.auth.rst
+++ b/docs/source/api/services.auth.rst
@@ -0,0 +1,40 @@
 =======================
 Services Authentication
 =======================
 Module: :mod:`jupyterhub.services.auth`
 =======================================
 .. automodule:: jupyterhub.services.auth
 .. currentmodule:: jupyterhub.services.auth
 :class:`HubAuth`
 ----------------
 .. autoconfigurable:: HubAuth
    :members:
 :class:`HubOAuth`
 -----------------
 .. autoconfigurable:: HubOAuth
    :members:
 :class:`HubAuthenticated`
 -------------------------
 .. autoclass:: HubAuthenticated
    :members:
 :class:`HubOAuthenticated`
 --------------------------
 .. autoclass:: HubOAuthenticated
 :class:`HubOAuthCallbackHandler`
 --------------------------------
 .. autoclass:: HubOAuthCallbackHandler
--- a/docs/source/api/spawner.rst
+++ b/docs/source/api/spawner.rst
@@ -0,0 +1,21 @@
 ========
 Spawners
 ========
 Module: :mod:`jupyterhub.spawner`
 =================================
 .. automodule:: jupyterhub.spawner
 .. currentmodule:: jupyterhub.spawner
 :class:`Spawner`
 ----------------
 .. autoconfigurable:: Spawner
    :members: options_from_form, poll, start, stop, get_args, get_env, get_state, template_namespace, format_string, create_certs, move_certs
 :class:`LocalProcessSpawner`
 ----------------------------
 .. autoconfigurable:: LocalProcessSpawner
--- a/docs/source/api/user.rst
+++ b/docs/source/api/user.rst
@@ -0,0 +1,36 @@
 =====
 Users
 =====
 Module: :mod:`jupyterhub.user`
 ==============================
 .. automodule:: jupyterhub.user
 .. currentmodule:: jupyterhub.user
 :class:`UserDict`
 -----------------
 .. autoclass:: UserDict
    :members:
 :class:`User`
 -------------
 .. autoclass:: User
    :members: escaped_name
    .. attribute:: name
      The user's name
    .. attribute:: server
        The user's Server data object if running, None otherwise.
        Has ``ip``, ``port`` attributes.
    .. attribute:: spawner
        The user's :class:`~.Spawner` instance.
--- a/docs/source/changelog.md
+++ b/docs/source/changelog.md
--- a/docs/source/conf.py
+++ b/docs/source/conf.py
@@ -1,80 +1,71 @@
-# Configuration file for Sphinx to build our documentation to HTML.
+# -*- coding: utf-8 -*-
 #
 # Configuration reference: https://www.sphinx-doc.org/en/master/usage/configuration.html
 #
 import contextlib
 import datetime
 import io
 import os
-import subprocess
+import sys
-from docutils import nodes
+# Set paths
-from sphinx.directives.other import SphinxDirective
+sys.path.insert(0, os.path.abspath('.'))
 # -- General configuration ------------------------------------------------
 # Minimal Sphinx version
 needs_sphinx = '1.4'
 # Sphinx extension modules
 extensions = [
    'sphinx.ext.autodoc',
    'sphinx.ext.intersphinx',
    'sphinx.ext.napoleon',
    'autodoc_traits',
    'sphinx_copybutton',
    'sphinx-jsonschema',
    'recommonmark',
 ]
 # The master toctree document.
 master_doc = 'index'
 # General information about the project.
 project = u'JupyterHub'
 copyright = u'2016, Project Jupyter team'
 author = u'Project Jupyter team'
 # Autopopulate version
 from os.path import dirname
 docs = dirname(dirname(__file__))
 root = dirname(docs)
 sys.path.insert(0, root)
 import jupyterhub
 # The short X.Y version.
 version = '%i.%i' % jupyterhub.version_info[:2]
 # The full version, including alpha/beta/rc tags.
 release = jupyterhub.__version__
 language = None
 exclude_patterns = []
 pygments_style = 'sphinx'
 todo_include_todos = False
 # Set the default role so we can use `foo` instead of ``foo``
 default_role = 'literal'
 # -- Source -------------------------------------------------------------
 import recommonmark
 from recommonmark.transform import AutoStructify
 # -- Config -------------------------------------------------------------
 from jupyterhub.app import JupyterHub
 from docutils import nodes
 from sphinx.directives.other import SphinxDirective
 from contextlib import redirect_stdout
 from io import StringIO
-# -- Project information -----------------------------------------------------
+# create a temp instance of JupyterHub just to get the output of the generate-config
-# ref: https://www.sphinx-doc.org/en/master/usage/configuration.html#project-information
+# and help --all commands.
 #
 project = "JupyterHub"
 author = "Project Jupyter Contributors"
 copyright = f"{datetime.date.today().year}, {author}"
 # -- General Sphinx configuration --------------------------------------------
 # ref: https://www.sphinx-doc.org/en/master/usage/configuration.html#general-configuration
 #
 extensions = [
    "sphinx.ext.autodoc",
    "sphinx.ext.intersphinx",
    "sphinx.ext.napoleon",
    "autodoc_traits",
    "sphinx_copybutton",
    "sphinx-jsonschema",
    "sphinxext.opengraph",
    "sphinxext.rediraffe",
    "jupyterhub_sphinx_theme",
    "myst_parser",
 ]
 root_doc = "index"
 source_suffix = [".md"]
 # default_role let's use use `foo` instead of ``foo`` in rST
 default_role = "literal"
 # -- MyST configuration ------------------------------------------------------
 # ref: https://myst-parser.readthedocs.io/en/latest/configuration.html
 #
 myst_heading_anchors = 2
 myst_enable_extensions = [
    # available extensions: https://myst-parser.readthedocs.io/en/latest/syntax/optional.html
    "attrs_inline",
    "colon_fence",
    "deflist",
    "fieldlist",
    "substitution",
 ]
 myst_substitutions = {
    # date example: Dev 07, 2022
    "date": datetime.date.today().strftime("%b %d, %Y").title(),
    "version": jupyterhub.__version__,
 }
 # -- Custom directives to generate documentation -----------------------------
 # ref: https://myst-parser.readthedocs.io/en/latest/syntax/roles-and-directives.html
 #
 # We define custom directives to help us generate documentation using Python on
 # demand when referenced from our documentation files.
 #
 # Create a temp instance of JupyterHub for use by two separate directive classes
 # to get the output from using the "--generate-config" and "--help-all" CLI
 # flags respectively.
 #
 jupyterhub_app = JupyterHub()
@@ -91,8 +82,8 @@ class ConfigDirective(SphinxDirective):
        # The generated configuration file for this version
        generated_config = jupyterhub_app.generate_config_file()
        # post-process output
-        home_dir = os.environ["HOME"]
+        home_dir = os.environ['HOME']
-        generated_config = generated_config.replace(home_dir, "$HOME", 1)
+        generated_config = generated_config.replace(home_dir, '$HOME', 1)
        par = nodes.literal_block(text=generated_config)
        return [par]
@@ -108,140 +99,135 @@ class HelpAllDirective(SphinxDirective):
    def run(self):
        # The output of the help command for this version
-        buffer = io.StringIO()
+        buffer = StringIO()
-        with contextlib.redirect_stdout(buffer):
+        with redirect_stdout(buffer):
-            jupyterhub_app.print_help("--help-all")
+            jupyterhub_app.print_help('--help-all')
        all_help = buffer.getvalue()
        # post-process output
-        home_dir = os.environ["HOME"]
+        home_dir = os.environ['HOME']
-        all_help = all_help.replace(home_dir, "$HOME", 1)
+        all_help = all_help.replace(home_dir, '$HOME', 1)
        par = nodes.literal_block(text=all_help)
        return [par]
 def setup(app):
-    app.add_css_file("custom.css")
+    app.add_config_value('recommonmark_config', {'enable_eval_rst': True}, True)
-    app.add_directive("jupyterhub-generate-config", ConfigDirective)
+    app.add_css_file('custom.css')
-    app.add_directive("jupyterhub-help-all", HelpAllDirective)
+    app.add_transform(AutoStructify)
    app.add_directive('jupyterhub-generate-config', ConfigDirective)
    app.add_directive('jupyterhub-help-all', HelpAllDirective)
-# -- Read The Docs -----------------------------------------------------------
+source_suffix = ['.rst', '.md']
-#
+# source_encoding = 'utf-8-sig'
-# Since RTD runs sphinx-build directly without running "make html", we run the
+
-# pre-requisite steps for "make html" from here if needed.
+# -- Options for HTML output ----------------------------------------------
-#
+
-if os.environ.get("READTHEDOCS"):
+# The theme to use for HTML and HTML Help pages.
-    docs = os.path.dirname(os.path.dirname(__file__))
+html_theme = 'pydata_sphinx_theme'
-    subprocess.check_call(["make", "metrics", "scopes"], cwd=docs)
+
 html_logo = '_static/images/logo/logo.png'
 html_favicon = '_static/images/logo/favicon.ico'
 # Paths that contain custom static files (such as style sheets)
 html_static_path = ['_static']
 htmlhelp_basename = 'JupyterHubdoc'
 # -- Options for LaTeX output ---------------------------------------------
 latex_elements = {
    # 'papersize': 'letterpaper',
    # 'pointsize': '10pt',
    # 'preamble': '',
    # 'figure_align': 'htbp',
 }
 # Grouping the document tree into LaTeX files. List of tuples
 # (source start file, target name, title,
 #  author, documentclass [howto, manual, or own class]).
 latex_documents = [
    (
        master_doc,
        'JupyterHub.tex',
        u'JupyterHub Documentation',
        u'Project Jupyter team',
        'manual',
    )
 ]
 # latex_logo = None
 # latex_use_parts = False
 # latex_show_pagerefs = False
 # latex_show_urls = False
 # latex_appendices = []
 # latex_domain_indices = True
-# -- Spell checking ----------------------------------------------------------
+# -- manual page output -------------------------------------------------
-# ref: https://sphinxcontrib-spelling.readthedocs.io/en/latest/customize.html#configuration-options
+
-#
+# One entry per manual page. List of tuples
-# The "sphinxcontrib.spelling" extension is optionally enabled if its available.
+# (source start file, name, description, authors, manual section).
-#
+man_pages = [(master_doc, 'jupyterhub', u'JupyterHub Documentation', [author], 1)]
 # man_show_urls = False
 # -- Texinfo output -----------------------------------------------------
 # Grouping the document tree into Texinfo files. List of tuples
 # (source start file, target name, title, author,
 #  dir menu entry, description, category)
 texinfo_documents = [
    (
        master_doc,
        'JupyterHub',
        u'JupyterHub Documentation',
        author,
        'JupyterHub',
        'One line description of project.',
        'Miscellaneous',
    )
 ]
 # texinfo_appendices = []
 # texinfo_domain_indices = True
 # texinfo_show_urls = 'footnote'
 # texinfo_no_detailmenu = False
 # -- Epub output --------------------------------------------------------
 # Bibliographic Dublin Core info.
 epub_title = project
 epub_author = author
 epub_publisher = author
 epub_copyright = copyright
 # A list of files that should not be packed into the epub file.
 epub_exclude_files = ['search.html']
 # -- Intersphinx ----------------------------------------------------------
 intersphinx_mapping = {'https://docs.python.org/3/': None}
 # -- Read The Docs --------------------------------------------------------
 on_rtd = os.environ.get('READTHEDOCS', None) == 'True'
 if on_rtd:
    # readthedocs.org uses their theme by default, so no need to specify it
    # build both metrics and rest-api, since RTD doesn't run make
    from subprocess import check_call as sh
    sh(['make', 'metrics', 'rest-api'], cwd=docs)
 # -- Spell checking -------------------------------------------------------
 try:
-    import sphinxcontrib.spelling  # noqa
+    import sphinxcontrib.spelling
 except ImportError:
    pass
 else:
    extensions.append("sphinxcontrib.spelling")
 spelling_word_list_filename = "spelling_wordlist.txt"
-
+spelling_word_list_filename = 'spelling_wordlist.txt'
 # -- Options for HTML output -------------------------------------------------
 # ref: https://www.sphinx-doc.org/en/master/usage/configuration.html#options-for-html-output
 #
 html_logo = "_static/images/logo/logo.png"
 html_favicon = "_static/images/logo/favicon.ico"
 html_static_path = ["_static"]
 html_theme = "jupyterhub_sphinx_theme"
 html_theme_options = {
    "icon_links": [
        {
            "name": "GitHub",
            "url": "https://github.com/jupyterhub/jupyterhub",
            "icon": "fa-brands fa-github",
        },
    ],
    "use_edit_page_button": True,
    "navbar_align": "left",
 }
 html_context = {
    "github_user": "jupyterhub",
    "github_repo": "jupyterhub",
    "github_version": "main",
    "doc_path": "docs/source",
 }
 # -- Options for linkcheck builder -------------------------------------------
 # ref: https://www.sphinx-doc.org/en/master/usage/configuration.html#options-for-the-linkcheck-builder
 #
 linkcheck_ignore = [
    r"(.*)github\.com(.*)#",  # javascript based anchors
    r"(.*)/#%21(.*)/(.*)",  # /#!forum/jupyter - encoded anchor edge case
    r"https://github.com/[^/]*$",  # too many github usernames / searches in changelog
    "https://github.com/jupyterhub/jupyterhub/pull/",  # too many PRs in changelog
    "https://github.com/jupyterhub/jupyterhub/compare/",  # too many comparisons in changelog
    r"https?://(localhost|127.0.0.1).*",  # ignore localhost references in auto-links
    r".*/rest-api.html#.*",  # ignore javascript-resolved internal rest-api links
    r"https://jupyter.chameleoncloud.org",  # FIXME: ignore (presumably) short-term SSL issue
 ]
 linkcheck_anchors_ignore = [
    "/#!",
    "/#%21",
 ]
 # -- Intersphinx -------------------------------------------------------------
 # ref: https://www.sphinx-doc.org/en/master/usage/extensions/intersphinx.html#configuration
 #
 intersphinx_mapping = {
    "python": ("https://docs.python.org/3/", None),
    "tornado": ("https://www.tornadoweb.org/en/stable/", None),
    "jupyter-server": ("https://jupyter-server.readthedocs.io/en/stable/", None),
    "nbgitpuller": ("https://nbgitpuller.readthedocs.io/en/latest", None),
 }
 # -- Options for the opengraph extension -------------------------------------
 # ref: https://github.com/wpilibsuite/sphinxext-opengraph#options
 #
 # ogp_site_url is set automatically by RTD
 ogp_image = "_static/logo.png"
 ogp_use_first_image = True
 # -- Options for the rediraffe extension -------------------------------------
 # ref: https://github.com/wpilibsuite/sphinxext-rediraffe#readme
 #
 # This extension helps us relocate content without breaking links. If a
 # document is moved internally, a redirect link should be configured as below to
 # help us not break links.
 #
 # The workflow for adding redirects can be as follows:
 # 1. Change "rediraffe_branch" below to point to the commit/ branch you
 #    want to base off the changes.
 # 2. Option 1: run "make rediraffecheckdiff"
 #       a. Analyze the output of this command.
 #       b. Manually add the redirect entries to the "redirects.txt" file.
 #    Option 2: run "make rediraffewritediff"
 #       a. rediraffe will then automatically add the obvious redirects to redirects.txt.
 #       b. Analyze the output of the command for broken links.
 #       c. Check the "redirects.txt" file for any files that were moved/ renamed but are not listed.
 #       d. Manually add the redirects that have been mised by the automatic builder to "redirects.txt".
 #    Option 3: Do not use the commands above and, instead, do everything manually - by taking
 #    note of the files you have moved or renamed and adding them to the "redirects.txt" file.
 #
 # If you are basing changes off another branch/ commit, always change back
 # rediraffe_branch to main before pushing your changes upstream.
 #
 rediraffe_branch = os.environ.get("REDIRAFFE_BRANCH", "main")
 rediraffe_redirects = "redirects.txt"
 # allow 80% match for autogenerated redirects
 rediraffe_auto_redirect_perc = 80
 # rediraffe_redirects = {
 # "old-file": "new-folder/new-file-name",
 # }
--- a/docs/source/contributing/community.md
+++ b/docs/source/contributing/community.md
@@ -1,27 +0,0 @@
 # Community communication channels
 We use different channels of communication for different purposes. Whichever one you use will depend on what kind of communication you want to engage in.
 ## Discourse (recommended)
 We use [Discourse](https://discourse.jupyter.org) for online discussions and support questions.
 You can ask questions here if you are a first-time contributor to the JupyterHub project.
 Everyone in the Jupyter community is welcome to bring ideas and questions there.
 We recommend that you first use our Discourse as all past and current discussions on it are archived and searchable. Thus, all discussions remain useful and accessible to the whole community.
 ## Gitter
 We use [our Gitter channel](https://gitter.im/jupyterhub/jupyterhub) for online, real-time text chat; a place for more ephemeral discussions. When you're not on Discourse, you can stop here to have other discussions on the fly.
 ## Github Issues
 [Github issues](https://docs.github.com/en/issues/tracking-your-work-with-issues/about-issues) are used for most long-form project discussions, bug reports and feature requests.
 - Issues related to a specific authenticator or spawner should be opened in the appropriate repository for the authenticator or spawner.
 - If you are using a specific JupyterHub distribution (such as [Zero to JupyterHub on Kubernetes](https://github.com/jupyterhub/zero-to-jupyterhub-k8s) or [The Littlest JupyterHub](https://github.com/jupyterhub/the-littlest-jupyterhub/)), you should open issues directly in their repository.
 - If you cannot find a repository to open your issue in, do not worry! Open the issue in the [main JupyterHub repository](https://github.com/jupyterhub/jupyterhub/) and our community will help you figure it out.
 ```{note}
 Our community is distributed across the world in various timezones, so please be patient if you do not get a response immediately!
 ```
--- a/docs/source/contributing/community.rst
+++ b/docs/source/contributing/community.rst
@@ -0,0 +1,30 @@
 .. _contributing/community:
 ================================
 Community communication channels
 ================================
 We use `Discourse <https://discourse.jupyter.org>` for online discussion.
 Everyone in the Jupyter community is welcome to bring ideas and questions there.
 In addition, we use `Gitter <https://gitter.im>`_ for online, real-time text chat,
 a place for more ephemeral discussions.
 The primary Gitter channel for JupyterHub is `jupyterhub/jupyterhub <https://gitter.im/jupyterhub/jupyterhub>`_.
 Gitter isn't archived or searchable, so we recommend going to discourse first
 to make sure that discussions are most useful and accessible to the community.
 Remember that our community is distributed across the world in various
 timezones, so be patient if you do not get an answer immediately!
 GitHub issues are used for most long-form project discussions, bug reports
 and feature requests. Issues related to a specific authenticator or
 spawner should be directed to the appropriate repository for the
 authenticator or spawner. If you are using a specific JupyterHub
 distribution (such as `Zero to JupyterHub on Kubernetes <http://github.com/jupyterhub/zero-to-jupyterhub-k8s>`_
 or `The Littlest JupyterHub <http://github.com/jupyterhub/the-littlest-jupyterhub/>`_),
 you should open issues directly in their repository. If you can not
 find a repository to open your issue in, do not worry! Create it in the `main
 JupyterHub repository <https://github.com/jupyterhub/jupyterhub/>`_ and our
 community will help you figure it out.
 A `mailing list <https://groups.google.com/forum/#!forum/jupyter>`_ for all
 of Project Jupyter exists, along with one for `teaching with Jupyter
 <https://groups.google.com/forum/#!forum/jupyter-education>`_. 
--- a/docs/source/contributing/docs.md
+++ b/docs/source/contributing/docs.md
@@ -1,76 +0,0 @@
 (contributing-docs)=
 # Contributing Documentation
 Documentation is often more important than code. This page helps
 you get set up on how to contribute to JupyterHub's documentation.
 ## Building documentation locally
 We use [sphinx](https://www.sphinx-doc.org) to build our documentation. It takes
 our documentation source files (written in [markdown](https://daringfireball.net/projects/markdown/) or [reStructuredText](https://www.sphinx-doc.org/en/master/usage/restructuredtext/basics.html) &
 stored under the `docs/source` directory) and converts it into various
 formats for people to read. To make sure the documentation you write or
 change renders correctly, it is good practice to test it locally.
 1. Make sure you have successfully completed {ref}`contributing/setup`.
 2. Install the packages required to build the docs.
   ```bash
   python3 -m pip install -r docs/requirements.txt
   ```
 3. Build the html version of the docs. This is the most commonly used
   output format, so verifying it renders correctly is usually good
   enough.
   ```bash
   cd docs
   make html
   ```
   This step will display any syntax or formatting errors in the documentation,
   along with the filename / line number in which they occurred. Fix them,
   and re-run the `make html` command to re-render the documentation.
 4. View the rendered documentation by opening `_build/html/index.html` in
   a web browser.
   :::{tip}
   **On Windows**, you can open a file from the terminal with `start <path-to-file>`.
   **On macOS**, you can do the same with `open <path-to-file>`.
   **On Linux**, you can do the same with `xdg-open <path-to-file>`.
   After opening index.html in your browser you can just refresh the page whenever
   you rebuild the docs via `make html`
   :::
 (contributing-docs-conventions)=
 ## Documentation conventions
 This section lists various conventions we use in our documentation. This is a
 living document that grows over time, so feel free to add to it / change it!
 Our entire documentation does not yet fully conform to these conventions yet,
 so help in making it so would be appreciated!
 ### `pip` invocation
 There are many ways to invoke a `pip` command, we recommend the following
 approach:
 ```bash
 python3 -m pip
 ```
 This invokes pip explicitly using the python3 binary that you are
 currently using. This is the **recommended way** to invoke pip
 in our documentation, since it is least likely to cause problems
 with python3 and pip being from different environments.
 For more information on how to invoke `pip` commands, see
 [the pip documentation](https://pip.pypa.io/en/stable/).
--- a/docs/source/contributing/docs.rst
+++ b/docs/source/contributing/docs.rst
@@ -0,0 +1,78 @@
 .. _contributing/docs:
 ==========================
 Contributing Documentation
 ==========================
 Documentation is often more important than code. This page helps
 you get set up on how to contribute documentation to JupyterHub.
 Building documentation locally
 ==============================
 We use `sphinx <http://sphinx-doc.org>`_ to build our documentation. It takes
 our documentation source files (written in `markdown
 <https://daringfireball.net/projects/markdown/>`_ or `reStructuredText
 <https://www.sphinx-doc.org/en/master/usage/restructuredtext/basics.html>`_ &
 stored under the ``docs/source`` directory) and converts it into various
 formats for people to read. To make sure the documentation you write or
 change renders correctly, it is good practice to test it locally.
 #. Make sure you have successfuly completed :ref:`contributing/setup`.
 #. Install the packages required to build the docs.
   .. code-block:: bash
      python3 -m pip install -r docs/requirements.txt
 #. Build the html version of the docs. This is the most commonly used
   output format, so verifying it renders as you should is usually good
   enough.
   .. code-block:: bash
      cd docs
      make html
   This step will display any syntax or formatting errors in the documentation,
   along with the filename / line number in which they occurred. Fix them,
   and re-run the ``make html`` command to re-render the documentation.
 #. View the rendered documentation by opening ``build/html/index.html`` in
   a web browser.
   .. tip::
      On macOS, you can open a file from the terminal with ``open <path-to-file>``.
      On Linux, you can do the same with ``xdg-open <path-to-file>``.
 .. _contributing/docs/conventions:
 Documentation conventions
 =========================
 This section lists various conventions we use in our documentation. This is a
 living document that grows over time, so feel free to add to it / change it!
 Our entire documentation does not yet fully conform to these conventions yet,
 so help in making it so would be appreciated!
 ``pip`` invocation
 ------------------
 There are many ways to invoke a ``pip`` command, we recommend the following
 approach:
 .. code-block:: bash
   python3 -m pip
 This invokes pip explicitly using the python3 binary that you are
 currently using. This is the **recommended way** to invoke pip
 in our documentation, since it is least likely to cause problems
 with python3 and pip being from different environments.
 For more information on how to invoke ``pip`` commands, see
 `the pip documentation <https://pip.pypa.io/en/stable/>`_.
--- a/docs/source/contributing/index.md
+++ b/docs/source/contributing/index.md
@@ -1,22 +0,0 @@
 # Contributing
 We want you to contribute to JupyterHub in ways that are most exciting
 and useful to you. We value documentation, testing, bug reporting & code equally,
 and are glad to have your contributions in whatever form you wish.
 Be sure to first check our [Code of Conduct](https://github.com/jupyter/governance/blob/HEAD/conduct/code_of_conduct.md)
 ([reporting guidelines](https://github.com/jupyter/governance/blob/HEAD/conduct/reporting_online.md)), which help keep our community welcoming to as many people as possible.
 This section covers information about our community, as well as ways that you can connect and get involved.
 ```{toctree}
 :maxdepth: 2
 contributor-list
 community
 setup
 docs
 tests
 roadmap
 security
 ```
--- a/docs/source/contributing/index.rst
+++ b/docs/source/contributing/index.rst
@@ -0,0 +1,21 @@
 ============
 Contributing
 ============
 We want you to contribute to JupyterHub in ways that are most exciting
 & useful to you. We value documentation, testing, bug reporting & code equally,
 and are glad to have your contributions in whatever form you wish :)
 Our `Code of Conduct <https://github.com/jupyter/governance/blob/HEAD/conduct/code_of_conduct.md>`_
 (`reporting guidelines <https://github.com/jupyter/governance/blob/HEAD/conduct/reporting_online.md>`_)
 helps keep our community welcoming to as many people as possible.
 .. toctree::
   :maxdepth: 2
   community
   setup
   docs
   tests
   roadmap
   security
--- a/docs/source/contributing/roadmap.md
+++ b/docs/source/contributing/roadmap.md
@@ -4,7 +4,7 @@ This roadmap collects "next steps" for JupyterHub. It is about creating a
 shared understanding of the project's vision and direction amongst
 the community of users, contributors, and maintainers.
 The goal is to communicate priorities and upcoming release plans.
-It is not aimed at limiting contributions to what is listed here.
+It is not a aimed at limiting contributions to what is listed here.
 ## Using the roadmap
--- a/docs/source/contributing/security.md
+++ b/docs/source/contributing/security.md
@@ -1,9 +0,0 @@
 # Reporting security issues in Jupyter or JupyterHub
 If you find a security vulnerability in Jupyter or JupyterHub,
 whether it is a failure of the security model described in [Security Overview](web-security)
 or a failure in implementation,
 please report it to <mailto:security@ipython.org>.
 If you prefer to encrypt your security reports,
 you can use {download}`this PGP public key </ipython_security.asc>`.
--- a/docs/source/contributing/security.rst
+++ b/docs/source/contributing/security.rst
@@ -0,0 +1,10 @@
 Reporting security issues in Jupyter or JupyterHub
 ==================================================
 If you find a security vulnerability in Jupyter or JupyterHub,
 whether it is a failure of the security model described in :doc:`../reference/websecurity`
 or a failure in implementation,
 please report it to security@ipython.org.
 If you prefer to encrypt your security reports,
 you can use :download:`this PGP public key </ipython_security.asc>`.
--- a/docs/source/contributing/setup.md
+++ b/docs/source/contributing/setup.md
@@ -1,175 +0,0 @@
 (contributing/setup)=
 # Setting up a development install
 ## System requirements
 JupyterHub can only run on macOS or Linux operating systems. If you are
 using Windows, we recommend using [VirtualBox](https://virtualbox.org)
 or a similar system to run [Ubuntu Linux](https://ubuntu.com) for
 development.
 ### Install Python
 JupyterHub is written in the [Python](https://python.org) programming language and
 requires you have at least version 3.6 installed locally. If you haven’t
 installed Python before, the recommended way to install it is to use
 [Miniforge](https://github.com/conda-forge/miniforge#download).
 ### Install nodejs
 [NodeJS 12+](https://nodejs.org/en/) is required for building some JavaScript components.
 `configurable-http-proxy`, the default proxy implementation for JupyterHub, is written in Javascript.
 If you have not installed NodeJS before, we recommend installing it in the `miniconda` environment you set up for Python.
 You can do so with `conda install nodejs`.
 Many in the Jupyter community use \[`nvm`\](<https://github.com/nvm-sh/nvm>) to
 managing node dependencies.
 ### Install git
 JupyterHub uses [Git](https://git-scm.com) & [GitHub](https://github.com)
 for development & collaboration. You need to [install git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) to work on
 JupyterHub. We also recommend getting a free account on GitHub.com.
 ## Setting up a development install
 When developing JupyterHub, you would need to make changes and be able to instantly view the results of the changes. To achieve that, a developer install is required.
 :::{note}
 This guide does not attempt to dictate _how_ development
 environments should be isolated since that is a personal preference and can
 be achieved in many ways, for example, `tox`, `conda`, `docker`, etc. See this
 [forum thread](https://discourse.jupyter.org/t/thoughts-on-using-tox/3497) for
 a more detailed discussion.
 :::
 1. Clone the [JupyterHub git repository](https://github.com/jupyterhub/jupyterhub)
   to your computer.
   ```bash
   git clone https://github.com/jupyterhub/jupyterhub
   cd jupyterhub
   ```
 2. Make sure the `python` you installed and the `npm` you installed
   are available to you on the command line.
   ```bash
   python -V
   ```
   This should return a version number greater than or equal to 3.6.
   ```bash
   npm -v
   ```
   This should return a version number greater than or equal to 5.0.
 3. Install `configurable-http-proxy` (required to run and test the default JupyterHub configuration) and `yarn` (required to build some components):
   ```bash
   npm install -g configurable-http-proxy yarn
   ```
   If you get an error that says `Error: EACCES: permission denied`, you might need to prefix the command with `sudo`.
   `sudo` may be required to perform a system-wide install.
   If you do not have access to sudo, you may instead run the following commands:
   ```bash
   npm install configurable-http-proxy yarn
   export PATH=$PATH:$(pwd)/node_modules/.bin
   ```
   The second line needs to be run every time you open a new terminal.
   If you are using conda you can instead run:
   ```bash
   conda install configurable-http-proxy yarn
   ```
 4. Install an editable version of JupyterHub and its requirements for
   development and testing. This lets you edit JupyterHub code in a text editor
   & restart the JupyterHub process to see your code changes immediately.
   ```bash
   python3 -m pip install --editable ".[test]"
   ```
 5. Set up a database.
   The default database engine is `sqlite` so if you are just trying
   to get up and running quickly for local development that should be
   available via [Python](https://docs.python.org/3.5/library/sqlite3.html).
   See [The Hub's Database](hub-database) for details on other supported databases.
 6. You are now ready to start JupyterHub!
   ```bash
   jupyterhub
   ```
 7. You can access JupyterHub from your browser at
   `http://localhost:8000` now.
 Happy developing!
 ## Using DummyAuthenticator & SimpleLocalProcessSpawner
 To simplify testing of JupyterHub, it is helpful to use
 {class}`~jupyterhub.auth.DummyAuthenticator` instead of the default JupyterHub
 authenticator and SimpleLocalProcessSpawner instead of the default spawner.
 There is a sample configuration file that does this in
 `testing/jupyterhub_config.py`. To launch JupyterHub with this
 configuration:
 ```bash
 jupyterhub -f testing/jupyterhub_config.py
 ```
 The default JupyterHub [authenticator](PAMAuthenticator)
 & [spawner](LocalProcessSpawner)
 require your system to have user accounts for each user you want to log in to
 JupyterHub as.
 DummyAuthenticator allows you to log in with any username & password,
 while SimpleLocalProcessSpawner allows you to start servers without having to
 create a Unix user for each JupyterHub user. Together, these make it
 much easier to test JupyterHub.
 Tip: If you are working on parts of JupyterHub that are common to all
 authenticators & spawners, we recommend using both DummyAuthenticator &
 SimpleLocalProcessSpawner. If you are working on just authenticator-related
 parts, use only SimpleLocalProcessSpawner. Similarly, if you are working on
 just spawner-related parts, use only DummyAuthenticator.
 ## Troubleshooting
 This section lists common ways setting up your development environment may
 fail, and how to fix them. Please add to the list if you encounter yet
 another way it can fail!
 ### `lessc` not found
 If the `python3 -m pip install --editable .` command fails and complains about
 `lessc` being unavailable, you may need to explicitly install some
 additional JavaScript dependencies:
 ```bash
 npm install
 ```
 This will fetch client-side JavaScript dependencies necessary to compile
 CSS.
 You may also need to manually update JavaScript and CSS after some
 development updates, with:
 ```bash
 python3 setup.py js    # fetch updated client-side js
 python3 setup.py css   # recompile CSS from LESS sources
 python3 setup.py jsx   # build React admin app
 ```
--- a/docs/source/contributing/setup.rst
+++ b/docs/source/contributing/setup.rst
@@ -0,0 +1,188 @@
 .. _contributing/setup:
 ================================
 Setting up a development install
 ================================
 System requirements
 ===================
 JupyterHub can only run on MacOS or Linux operating systems. If you are
 using Windows, we recommend using `VirtualBox <https://virtualbox.org>`_
 or a similar system to run `Ubuntu Linux <https://ubuntu.com>`_ for
 development.
 Install Python
 --------------
 JupyterHub is written in the `Python <https://python.org>`_ programming language, and
 requires you have at least version 3.5 installed locally. If you haven’t
 installed Python before, the recommended way to install it is to use
 `miniconda <https://conda.io/miniconda.html>`_. Remember to get the ‘Python 3’ version,
 and **not** the ‘Python 2’ version!
 Install nodejs
 --------------
 ``configurable-http-proxy``, the default proxy implementation for
 JupyterHub, is written in Javascript to run on `NodeJS
 <https://nodejs.org/en/>`_. If you have not installed nodejs before, we
 recommend installing it in the ``miniconda`` environment you set up for
 Python. You can do so with ``conda install nodejs``.
 Install git
 -----------
 JupyterHub uses `git <https://git-scm.com>`_ & `GitHub <https://github.com>`_
 for development & collaboration. You need to `install git
 <https://git-scm.com/book/en/v2/Getting-Started-Installing-Git>`_ to work on
 JupyterHub. We also recommend getting a free account on GitHub.com.
 Setting up a development install
 ================================
 When developing JupyterHub, you need to make changes to the code & see
 their effects quickly. You need to do a developer install to make that
 happen.
 .. note:: This guide does not attempt to dictate *how* development
   environements should be isolated since that is a personal preference and can
   be achieved in many ways, for example `tox`, `conda`, `docker`, etc. See this
   `forum thread <https://discourse.jupyter.org/t/thoughts-on-using-tox/3497>`_ for
   a more detailed discussion.
 1. Clone the `JupyterHub git repository <https://github.com/jupyterhub/jupyterhub>`_
   to your computer.
   .. code:: bash
      git clone https://github.com/jupyterhub/jupyterhub
      cd jupyterhub
 2. Make sure the ``python`` you installed and the ``npm`` you installed
   are available to you on the command line.
   .. code:: bash
      python -V
   This should return a version number greater than or equal to 3.5.
   .. code:: bash
      npm -v
   This should return a version number greater than or equal to 5.0.
 3. Install ``configurable-http-proxy``. This is required to run
   JupyterHub.
   .. code:: bash
      npm install -g configurable-http-proxy
   If you get an error that says ``Error: EACCES: permission denied``,
   you might need to prefix the command with ``sudo``. If you do not
   have access to sudo, you may instead run the following commands:
   .. code:: bash
      npm install configurable-http-proxy
      export PATH=$PATH:$(pwd)/node_modules/.bin
   The second line needs to be run every time you open a new terminal.
 4. Install the python packages required for JupyterHub development.
   .. code:: bash
      python3 -m pip install -r dev-requirements.txt
      python3 -m pip install -r requirements.txt
 5. Setup a database.
   The default database engine is ``sqlite`` so if you are just trying
   to get up and running quickly for local development that should be
   available via `python <https://docs.python.org/3.5/library/sqlite3.html>`__.
   See :doc:`/reference/database` for details on other supported databases.
 6. Install the development version of JupyterHub. This lets you edit
   JupyterHub code in a text editor & restart the JupyterHub process to
   see your code changes immediately.
   .. code:: bash
      python3 -m pip install --editable .
 7. You are now ready to start JupyterHub!
   .. code:: bash
      jupyterhub
 8. You can access JupyterHub from your browser at
   ``http://localhost:8000`` now.
 Happy developing!
 Using DummyAuthenticator & SimpleLocalProcessSpawner
 ====================================================
 To simplify testing of JupyterHub, it’s helpful to use
 :class:`~jupyterhub.auth.DummyAuthenticator` instead of the default JupyterHub
 authenticator and SimpleLocalProcessSpawner instead of the default spawner.
 There is a sample configuration file that does this in
 ``testing/jupyterhub_config.py``. To launch jupyterhub with this
 configuration:
 .. code:: bash
   jupyterhub -f testing/jupyterhub_config.py
 The default JupyterHub `authenticator
 <https://jupyterhub.readthedocs.io/en/stable/reference/authenticators.html#the-default-pam-authenticator>`_
 & `spawner
 <https://jupyterhub.readthedocs.io/en/stable/api/spawner.html#localprocessspawner>`_
 require your system to have user accounts for each user you want to log in to
 JupyterHub as.
 DummyAuthenticator allows you to log in with any username & password,
 while SimpleLocalProcessSpawner allows you to start servers without having to
 create a unix user for each JupyterHub user. Together, these make it
 much easier to test JupyterHub.
 Tip: If you are working on parts of JupyterHub that are common to all
 authenticators & spawners, we recommend using both DummyAuthenticator &
 SimpleLocalProcessSpawner. If you are working on just authenticator related
 parts, use only SimpleLocalProcessSpawner. Similarly, if you are working on
 just spawner related parts, use only DummyAuthenticator.
 Troubleshooting
 ===============
 This section lists common ways setting up your development environment may
 fail, and how to fix them. Please add to the list if you encounter yet
 another way it can fail!
 ``lessc`` not found
 -------------------
 If the ``python3 -m pip install --editable .`` command fails and complains about
 ``lessc`` being unavailable, you may need to explicitly install some
 additional JavaScript dependencies:
 .. code:: bash
   npm install
 This will fetch client-side JavaScript dependencies necessary to compile
 CSS.
 You may also need to manually update JavaScript and CSS after some
 development updates, with:
 .. code:: bash
   python3 setup.py js    # fetch updated client-side js
   python3 setup.py css   # recompile CSS from LESS sources
--- a/docs/source/contributing/tests.md
+++ b/docs/source/contributing/tests.md
@@ -1,157 +0,0 @@
 (contributing-tests)=
 # Testing JupyterHub and linting code
 Unit testing helps to validate that JupyterHub works the way we think it does,
 and continues to do so when changes occur. They also help communicate
 precisely what we expect our code to do.
 JupyterHub uses [pytest](https://pytest.org) for all the tests. You
 can find them under the [jupyterhub/tests](https://github.com/jupyterhub/jupyterhub/tree/main/jupyterhub/tests) directory in the git repository.
 ## Running the tests
 1. Make sure you have completed {ref}`contributing/setup`.
   Once you are done, you would be able to run `jupyterhub` from the command line and access it from your web browser.
   This ensures that the dev environment is properly set up for tests to run.
 2. You can run all tests in JupyterHub
   ```bash
   pytest -v jupyterhub/tests
   ```
   This should display progress as it runs all the tests, printing
   information about any test failures as they occur.
   If you wish to confirm test coverage the run tests with the `--cov` flag:
   ```bash
   pytest -v --cov=jupyterhub jupyterhub/tests
   ```
 3. You can also run tests in just a specific file:
   ```bash
   pytest -v jupyterhub/tests/<test-file-name>
   ```
 4. To run a specific test only, you can do:
   ```bash
   pytest -v jupyterhub/tests/<test-file-name>::<test-name>
   ```
   This runs the test with function name `<test-name>` defined in
   `<test-file-name>`. This is very useful when you are iteratively
   developing a single test.
   For example, to run the test `test_shutdown` in the file `test_api.py`,
   you would run:
   ```bash
   pytest -v jupyterhub/tests/test_api.py::test_shutdown
   ```
   For more details, refer to the [pytest usage documentation](https://pytest.readthedocs.io/en/latest/usage.html).
 ## Test organisation
 The tests live in `jupyterhub/tests` and are organized roughly into:
 1. `test_api.py` tests the REST API
 2. `test_pages.py` tests loading the HTML pages
 and other collections of tests for different components.
 When writing a new test, there should usually be a test of
 similar functionality already written and related tests should
 be added nearby.
 The fixtures live in `jupyterhub/tests/conftest.py`. There are
 fixtures that can be used for JupyterHub components, such as:
 - `app`: an instance of JupyterHub with mocked parts
 - `auth_state_enabled`: enables persisting auth_state (like authentication tokens)
 - `db`: a sqlite in-memory DB session
 - `` io_loop` ``: a Tornado event loop
 - `event_loop`: a new asyncio event loop
 - `user`: creates a new temporary user
 - `admin_user`: creates a new temporary admin user
 - single user servers
  \- `cleanup_after`: allows cleanup of single user servers between tests
 - mocked service
  \- `MockServiceSpawner`: a spawner that mocks services for testing with a short poll interval
  \- `` mockservice` ``: mocked service with no external service url
  \- `mockservice_url`: mocked service with a url to test external services
 And fixtures to add functionality or spawning behavior:
 - `admin_access`: grants admin access
 - `` no_patience` ``: sets slow-spawning timeouts to zero
 - `slow_spawn`: enables the SlowSpawner (a spawner that takes a few seconds to start)
 - `never_spawn`: enables the NeverSpawner (a spawner that will never start)
 - `bad_spawn`: enables the BadSpawner (a spawner that fails immediately)
 - `slow_bad_spawn`: enables the SlowBadSpawner (a spawner that fails after a short delay)
 Refer to the [pytest fixtures documentation](https://pytest.readthedocs.io/en/latest/fixture.html) to learn how to use fixtures that exists already and to create new ones.
 ### The Pytest-Asyncio Plugin
 When testing the various JupyterHub components and their various implementations, it sometimes becomes necessary to have a running instance of JupyterHub to test against.
 The [`app`](https://github.com/jupyterhub/jupyterhub/blob/270b61992143b29af8c2fab90c4ed32f2f6fe209/jupyterhub/tests/conftest.py#L60) fixture mocks a JupyterHub application for use in testing by:
 - enabling ssl if internal certificates are available
 - creating an instance of [MockHub](https://github.com/jupyterhub/jupyterhub/blob/270b61992143b29af8c2fab90c4ed32f2f6fe209/jupyterhub/tests/mocking.py#L221) using any provided configurations as arguments
 - initializing the mocked instance
 - starting the mocked instance
 - finally, a registered finalizer function performs a cleanup and stops the mocked instance
 The JupyterHub test suite uses the [pytest-asyncio plugin](https://pytest-asyncio.readthedocs.io/en/latest/) that handles [event-loop](https://docs.python.org/3/library/asyncio-eventloop.html) integration in [Tornado](https://www.tornadoweb.org/en/stable/) applications. This allows for the use of top-level awaits when calling async functions or [fixtures](https://docs.pytest.org/en/6.2.x/fixture.html#what-fixtures-are) during testing. All test functions and fixtures labelled as `async` will run on the same event loop.
 ```{note}
 With the introduction of [top-level awaits](https://piccolo-orm.com/blog/top-level-await-in-python/), the use of the `io_loop` fixture of the [pytest-tornado plugin](https://www.tornadoweb.org/en/stable/ioloop.html) is no longer necessary. It was initially used to call coroutines. With the upgrades made to `pytest-asyncio`, this usage is now deprecated. It is now, only utilized within the JupyterHub test suite to ensure complete cleanup of resources used during testing such as open file descriptors. This is demonstrated in this [pull request](https://github.com/jupyterhub/jupyterhub/pull/4332).
 More information is provided below.
 ```
 One of the general goals of the [JupyterHub Pytest Plugin project](https://github.com/jupyterhub/pytest-jupyterhub) is to ensure the MockHub cleanup fully closes and stops all utilized resources during testing so the use of the `io_loop` fixture for teardown is not necessary. This was highlighted in this [issue](https://github.com/jupyterhub/pytest-jupyterhub/issues/30)
 For more information on asyncio and event-loops, here are some resources:
 - **Read**: [Introduction to the Python event loop](https://www.pythontutorial.net/python-concurrency/python-event-loop)
 - **Read**: [Overview of Async IO in Python 3.7](https://stackabuse.com/overview-of-async-io-in-python-3-7)
 - **Watch**: [Asyncio: Understanding Async / Await in Python](https://www.youtube.com/watch?v=bs9tlDFWWdQ)
 - **Watch**: [Learn Python's AsyncIO #2 - The Event Loop](https://www.youtube.com/watch?v=E7Yn5biBZ58)
 ## Troubleshooting Test Failures
 ### All the tests are failing
 Make sure you have completed all the steps in {ref}`contributing/setup` successfully, and are able to access JupyterHub from your browser at http://localhost:8000 after starting `jupyterhub` in your command line.
 ## Code formatting and linting
 JupyterHub automatically enforces code formatting. This means that pull requests
 with changes breaking this formatting will receive a commit from pre-commit.ci
 automatically.
 To automatically format code locally, you can install pre-commit and register a
 _git hook_ to automatically check with pre-commit before you make a commit if
 the formatting is okay.
 ```bash
 pip install pre-commit
 pre-commit install --install-hooks
 ```
 To run pre-commit manually you would do:
 ```bash
 # check for changes to code not yet committed
 pre-commit run
 # check for changes also in already committed code
 pre-commit run --all-files
 ```
 You may also install [black integration](https://github.com/psf/black#editor-integration)
 into your text editor to format code automatically.
--- a/docs/source/contributing/tests.rst
+++ b/docs/source/contributing/tests.rst
@@ -0,0 +1,68 @@
 .. _contributing/tests:
 ==================
 Testing JupyterHub
 ==================
 Unit test help validate that JupyterHub works the way we think it does,
 and continues to do so when changes occur. They also help communicate
 precisely what we expect our code to do. 
 JupyterHub uses `pytest <https://pytest.org>`_ for all our tests. You
 can find them under ``jupyterhub/tests`` directory in the git repository.
 Running the tests
 ==================
 #. Make sure you have completed :ref:`contributing/setup`. You should be able
   to start ``jupyterhub`` from the commandline & access it from your
   web browser. This ensures that the dev environment is properly set
   up for tests to run.
 #. You can run all tests in JupyterHub 
   .. code-block:: bash
      pytest -v jupyterhub/tests
   This should display progress as it runs all the tests, printing
   information about any test failures as they occur.
   If you wish to confirm test coverage the run tests with the `--cov` flag:
   .. code-block:: bash
      pytest -v --cov=jupyterhub jupyterhub/tests
 #. You can also run tests in just a specific file:
   .. code-block:: bash
      pytest -v jupyterhub/tests/<test-file-name>
 #. To run a specific test only, you can do:
   .. code-block:: bash
      pytest -v jupyterhub/tests/<test-file-name>::<test-name>
   This runs the test with function name ``<test-name>`` defined in
   ``<test-file-name>``. This is very useful when you are iteratively
   developing a single test.
   For example, to run the test ``test_shutdown`` in the file ``test_api.py``,
   you would run:
   .. code-block:: bash
      pytest -v jupyterhub/tests/test_api.py::test_shutdown
 Troubleshooting Test Failures
 =============================
 All the tests are failing
 -------------------------
 Make sure you have completed all the steps in :ref:`contributing/setup` successfully, and
 can launch ``jupyterhub`` from the terminal.
--- a/docs/source/contributing/contributor-list.md
+++ b/docs/source/contributing/contributor-list.md
@@ -120,4 +120,3 @@ contribution on JupyterHub:
 - yuvipanda
 - zoltan-fedor
 - zonca
 - Neeraj Natu
--- a/docs/source/events/index.rst
+++ b/docs/source/events/index.rst
@@ -0,0 +1,46 @@
 Eventlogging and Telemetry
 ==========================
 JupyterHub can be configured to record structured events from a running server using Jupyter's `Telemetry System`_. The types of events that JupyterHub emits are defined by `JSON schemas`_ listed at the bottom of this page_.
 .. _logging: https://docs.python.org/3/library/logging.html
 .. _`Telemetry System`: https://github.com/jupyter/telemetry
 .. _`JSON schemas`: https://json-schema.org/
 How to emit events
 ------------------
 Event logging is handled by its ``Eventlog`` object. This leverages Python's standing logging_ library to emit, filter, and collect event data. 
 To begin recording events, you'll need to set two configurations:
    1. ``handlers``: tells the EventLog *where* to route your events. This trait is a list of Python logging handlers that route events to 
    2. ``allows_schemas``: tells the EventLog *which* events should be recorded. No events are emitted by default; all recorded events must be listed here.
 Here's a basic example:
 .. code-block::
    import logging
    c.EventLog.handlers = [
        logging.FileHandler('event.log'),
    ]
    c.EventLog.allowed_schemas = [
        'hub.jupyter.org/server-action'
    ]
 The output is a file, ``"event.log"``, with events recorded as JSON data.
 .. _page:
 Event schemas
 -------------
 .. toctree::
    :maxdepth: 2
    server-actions.rst
--- a/docs/source/reference/server-actions.md
+++ b/docs/source/reference/server-actions.md
@@ -1,3 +1 @@
 ```{eval-rst}
 .. jsonschema:: ../../../jupyterhub/event-schemas/server-actions/v1.yaml
 ```
--- a/docs/source/explanation/capacity-planning.md
+++ b/docs/source/explanation/capacity-planning.md
@@ -1,308 +0,0 @@
 # Capacity planning
 General capacity planning advice for JupyterHub is hard to give,
 because it depends almost entirely on what your users are doing,
 and what JupyterHub users do varies _wildly_ in terms of resource consumption.
 **There is no single answer to "I have X users, what resources do I need?" or "How many users can I support with this machine?"**
 Here are three _typical_ Jupyter use patterns that require vastly different resources:
 - **Learning**: negligible resources because computation is mostly idle,
  e.g. students learning programming for the first time
 - **Production code**: very intense, sustained load, e.g. training machine learning models
 - **Bursting**: _mostly_ idle, but needs a lot of resources for short periods of time
  (interactive research often looks like this)
 But just because there's no single answer doesn't mean we can't help.
 So we have gathered here some useful information to help you make your decisions
 about what resources you need based on how your users work,
 including the relative invariants in terms of resources that JupyterHub itself needs.
 ## JupyterHub infrastructure
 JupyterHub consists of a few components that are always running.
 These take up very little resources,
 especially relative to the resources consumed by users when you have more than a few.
 As an example, an instance of mybinder.org (running JupyterHub 1.5.0),
 running with typically ~100-150 users has:
 | Component | CPU (mean/peak) | Memory (mean/peak) |
 | --------- | --------------- | ------------------ |
 | Hub       | 4% / 13%        | (230 MB / 260 MB)  |
 | Proxy     | 6% / 13%        | (47 MB / 65 MB)    |
 So it would be pretty generous to allocate ~25% of one CPU core
 and ~500MB of RAM to overall JupyterHub infrastructure.
 The rest is going to be up to your users.
 Per-user overhead from JupyterHub is typically negligible
 up to at least a few hundred concurrent active users.
 ```{figure} /images/mybinder-hub-components-cpu-memory.png
 JupyterHub component resource usage for mybinder.org.
 ```
 ## Factors to consider
 ### Static vs elastic resources
 A big factor in planning resources is:
 **how much does it cost to change your mind?**
 If you are using a single shared machine with local storage,
 migrating to a new one because it turns out your users don't fit might be very costly.
 You will have to get a new machine, set it up, and maybe even migrate user data.
 On the other hand, if you are using ephemeral resources,
 such as node pools in Kubernetes,
 changing resource types costs close to nothing
 because nodes can automatically be added or removed as needed.
 Take that cost into account when you are picking how much memory or cpu to allocate to users.
 Static resources (like [the-littlest-jupyterhub][]) provide for more **stable, predictable costs**,
 but elastic resources (like [zero-to-jupyterhub][]) tend to provide **lower overall costs**
 (especially when deployed with monitoring allowing cost optimizations over time),
 but which are **less predictable**.
 [the-littlest-jupyterhub]: https://the-littlest-jupyterhub.readthedocs.io
 [zero-to-jupyterhub]: https://z2jh.jupyter.org
 (limits-requests)=
 ### Limit vs Request for resources
 Many scheduling tools like Kubernetes have two separate ways of allocating resources to users.
 A **Request** or **Reservation** describes how much resources are _set aside_ for each user.
 Often, this doesn't have any practical effect other than deciding when a given machine is considered 'full'.
 If you are using expandable resources like an autoscaling Kubernetes cluster,
 a new node must be launched and added to the pool if you 'request' more resources than fit on currently running nodes (a cluster **scale-up event**).
 If you are running on a single VM, this describes how many users you can run at the same time, full stop.
 A **Limit**, on the other hand, enforces a limit to how much resources any given user can consume.
 For more information on what happens when users try to exceed their limits, see [](oversubscription).
 In the strictest, safest case, you can have these two numbers be the same.
 That means that each user is _limited_ to fit within the resources allocated to it.
 This avoids **[oversubscription](oversubscription)** of resources (allowing use of more than you have available),
 at the expense (in a literal, this-costs-money sense) of reserving lots of usually-idle capacity.
 However, you often find that a small fraction of users use more resources than others.
 In this case you may give users limits that _go beyond the amount of resources requested_.
 This is called **oversubscribing** the resources available to users.
 Having a gap between the request and the limit means you can fit a number of _typical_ users on a node (based on the request),
 but still limit how much a runaway user can gobble up for themselves.
 (oversubscription)=
 ### Oversubscribed CPU is okay, running out of memory is bad
 An important consideration when assigning resources to users is: **What happens when users need more than I've given them?**
 A good summary to keep in mind:
 > When tasks don't get enough CPU, things are slow.
 > When they don't get enough memory, things are broken.
 This means it's **very important that users have enough memory**,
 but much less important that they always have exclusive access to all the CPU they can use.
 This relates to [Limits and Requests](limits-requests),
 because these are the consequences of your limits and/or requests not matching what users actually try to use.
 A table of mismatched resource allocation situations and their consequences:
 | issue                                                    | consequence                                                                           |
 | -------------------------------------------------------- | ------------------------------------------------------------------------------------- |
 | Requests too high                                        | Unnecessarily high cost and/or low capacity.                                          |
 | CPU limit too low                                        | Poor performance experienced by users                                                 |
 | CPU oversubscribed (too-low request + too-high limit)    | Poor performance across the system; may crash, if severe                              |
 | Memory limit too low                                     | Servers killed by Out-of-Memory Killer (OOM); lost work for users                     |
 | Memory oversubscribed (too-low request + too-high limit) | System memory exhaustion - all kinds of hangs and crashes and weird errors. Very bad. |
 Note that the 'oversubscribed' problem case is where the request is lower than _typical_ usage,
 meaning that the total reserved resources isn't enough for the total _actual_ consumption.
 This doesn't mean that _all_ your users exceed the request,
 just that the _limit_ gives enough room for the _average_ user to exceed the request.
 All of these considerations are important _per node_.
 Larger nodes means more users per node, and therefore more users to average over.
 It also means more chances for multiple outliers on the same node.
 ### Example case for oversubscribing memory
 Take for example, this system and sampling of user behavior:
 - System memory = 8G
 - memory request = 1G, limit = 3G
 - typical 'heavy' user: 2G
 - typical 'light' user: 0.5G
 This will assign 8 users to those 8G of RAM (remember: only requests are used for deciding when a machine is 'full').
 As long as the total of 8 users _actual_ usage is under 8G, everything is fine.
 But the _limit_ allows a total of 24G to be used,
 which would be a mess if everyone used their full limit.
 But _not_ everyone uses the full limit, which is the point!
 This pattern is fine if 1/8 of your users are 'heavy' because _typical_ usage will be ~0.7G,
 and your total usage will be ~5G (`1 × 2 + 7 × 0.5 = 5.5`).
 But if _50%_ of your users are 'heavy' you have a problem because that means your users will be trying to use 10G (`4 × 2 + 4 × 0.5 = 10`),
 which you don't have.
 You can make guesses at these numbers, but the only _real_ way to get them is to measure (see [](measuring)).
 ### CPU:memory ratio
 Most of the time, you'll find that only one resource is the limiting factor for your users.
 Most often it's memory, but for certain tasks, it could be CPU (or even GPUs).
 Many cloud deployments have just one or a few fixed ratios of cpu to memory
 (e.g. 'general purpose', 'high memory', and 'high cpu').
 Setting your secondary resource allocation according to this ratio
 after selecting the more important limit results in a balanced resource allocation.
 For instance, some of Google Cloud's ratios are:
 | node type   | GB RAM / CPU core |
 | ----------- | ----------------- |
 | n2-highmem  | 8                 |
 | n2-standard | 4                 |
 | n2-highcpu  | 1                 |
 (idleness)=
 ### Idleness
 Jupyter being an interactive tool means people tend to spend a lot more time reading and thinking than actually running resource-intensive code.
 This significantly affects how much _cpu_ resources a typical active user needs,
 but often does not significantly affect the _memory_.
 Ways to think about this:
 - More idle users means unused CPU.
  This generally means setting your CPU _limit_ higher than your CPU _request_.
 - What do your users do when they _are_ running code?
  Is it typically single-threaded local computation in a notebook?
  If so, there's little reason to set a limit higher than 1 CPU core.
 - Do typical computations take a long time, or just a few seconds?
  Longer typical computations means it's more likely for users to be trying to use the CPU at the same moment,
  suggesting a higher _request_.
 - Even with idle users, parallel computation adds up quickly - one user fully loading 4 cores and 3 using almost nothing still averages to more than a full CPU core per user.
 - Long-running intense computations suggest higher requests.
 Again, using mybinder.org as an example—we run around 100 users on 8-core nodes,
 and still see fairly _low_ overall CPU usage on each user node.
 The limit here is actually Kubernetes' pods per node, not memory _or_ CPU.
 This is likely a extreme case, as many Binder users come from clicking links on webpages
 without any actual intention of running code.
 ```{figure} /images/mybinder-load5.png
 mybinder.org node CPU usage is low with 50-150 users sharing just 8 cores
 ```
 ### Concurrent users and culling idle servers
 Related to [][idleness], all of these resource consumptions and limits are calculated based on **concurrently active users**,
 not total users.
 You might have 10,000 users of your JupyterHub deployment, but only 100 of them running at any given time.
 That 100 is the main number you need to use for your capacity planning.
 JupyterHub costs scale very little based on the number of _total_ users,
 up to a point.
 There are two important definitions for **active user**:
 - Are they _actually_ there (i.e. a human interacting with Jupyter, or running code that might be )
 - Is their server running (this is where resource reservations and limits are actually applied)
 Connecting those two definitions (how long are servers running if their humans aren't using them) is an important area of deployment configuration, usually implemented via the [JupyterHub idle culler service][idle-culler].
 [idle-culler]: https://github.com/jupyterhub/jupyterhub-idle-culler
 There are a lot of considerations when it comes to culling idle users that will depend:
 - How much does it save me to shut down user servers? (e.g. keeping an elastic cluster small, or keeping a fixed-size deployment available to active users)
 - How much does it cost my users to have their servers shut down? (e.g. lost work if shutdown prematurely)
 - How easy do I want it to be for users to keep their servers running? (e.g. Do they want to run unattended simulations overnight? Do you want them to?)
 Like many other things in this guide, there are many correct answers leading to different configuration choices.
 For more detail on culling configuration and considerations, consult the [JupyterHub idle culler documentation][idle-culler].
 ## More tips
 ### Start strict and generous, then measure
 A good tip, in general, is to give your users as much resources as you can afford that you think they _might_ use.
 Then, use resource usage metrics like prometheus to analyze what your users _actually_ need,
 and tune accordingly.
 Remember: **Limits affect your user experience and stability. Requests mostly affect your costs**.
 For example, a sensible starting point (lacking any other information) might be:
 ```yaml
 request:
  cpu: 0.5
  mem: 2G
 limit:
  cpu: 1
  mem: 2G
 ```
 (more memory if significant computations are likely - machine learning models, data analysis, etc.)
 Some actions
 - If you see out-of-memory killer events, increase the limit (or talk to your users!)
 - If you see typical memory well below your limit, reduce the request (but not the limit)
 - If _nobody_ uses that much memory, reduce your limit
 - If CPU is your limiting scheduling factor and your CPUs are mostly idle,
  reduce the cpu request (maybe even to 0!).
 - If CPU usage continues to be low, increase the limit to 2 or 4 to allow bursts of parallel execution.
 (measuring)=
 ### Measuring user resource consumption
 It is _highly_ recommended to deploy monitoring services such as [Prometheus][]
 and [Grafana][] to get a view of your users' resource usage.
 This is the only way to truly know what your users need.
 JupyterHub has some experimental [grafana dashboards][] you can use as a starting point,
 to keep an eye on your resource usage.
 Here are some sample charts from (again from mybinder.org),
 showing >90% of users using less than 10% CPU and 200MB,
 but a few outliers near the limit of 1 CPU and 2GB of RAM.
 This is the kind of information you can use to tune your requests and limits.
 ![Snapshot from JupyterHub's Grafana dashboards on mybinder.org](/images/mybinder-user-resources.png)
 [prometheus]: https://prometheus.io
 [grafana]: https://grafana.com
 [grafana dashboards]: https://github.com/jupyterhub/grafana-dashboards
 ### Measuring costs
 Measuring costs may be as important as measuring your users activity.
 If you are using a cloud provider, you can often use cost thresholds and quotas to instruct them to notify you if your costs are too high,
 e.g. "Have AWS send me an email if I hit X spending trajectory on week 3 of the month."
 You can then use this information to tune your resources based on what you can afford.
 You can mix this information with user resource consumption to figure out if you have a problem,
 e.g. "my users really do need X resources, but I can only afford to give them 80% of X."
 This information may prove useful when asking your budget-approving folks for more funds.
 ### Additional resources
 There are lots of other resources for cost and capacity planning that may be specific to JupyterHub and/or your cloud provider.
 Here are some useful links to other resources
 - [Zero to JupyterHub](https://z2jh.jupyter.org) documentation on
  - [projecting costs](https://z2jh.jupyter.org/en/latest/administrator/cost.html)
  - [configuring user resources](https://z2jh.jupyter.org/en/latest/jupyterhub/customizing/user-resources.html)
 - Cloud platform cost calculators:
  - [Google Cloud](https://cloud.google.com/products/calculator/)
  - [Amazon AWS](https://calculator.aws)
  - [Microsoft Azure](https://azure.microsoft.com/en-us/pricing/calculator/)
--- a/docs/source/explanation/database.md
+++ b/docs/source/explanation/database.md
@@ -1,183 +0,0 @@
 (hub-database)=
 # The Hub's Database
 JupyterHub uses a database to store information about users, services, and other data needed for operating the Hub.
 This is the **state** of the Hub.
 ## Why does JupyterHub have a database?
 JupyterHub is a **stateful** application (more on that 'state' later).
 Updating JupyterHub's configuration or upgrading the version of JupyterHub requires restarting the JupyterHub process to apply the changes.
 We want to minimize the disruption caused by restarting the Hub process, so it can be a mundane, frequent, routine activity.
 Storing state information outside the process for later retrieval is necessary for this, and one of the main thing databases are for.
 A lot of the operations in JupyterHub are also **relationships**, which is exactly what SQL databases are great at.
 For example:
 - Given an API token, what user is making the request?
 - Which users don't have running servers?
 - Which servers belong to user X?
 - Which users have not been active in the last 24 hours?
 Finally, a database allows us to have more information stored without needing it all loaded in memory,
 e.g. supporting a large number (several thousands) of inactive users.
 ## What's in the database?
 The short answer of what's in the JupyterHub database is "everything."
 JupyterHub's **state** lives in the database.
 That is, everything JupyterHub needs to be aware of to function that _doesn't_ come from the configuration files, such as
 - users, roles, role assignments
 - state, urls of running servers
 - Hashed API tokens
 - Short-lived state related to OAuth flow
 - Timestamps for when users, tokens, and servers were last used
 ### What's _not_ in the database
 Not _quite_ all of JupyterHub's state is in the database.
 This mostly involves transient state, such as the 'pending' transitions of Spawners (starting, stopping, etc.).
 Anything not in the database must be reconstructed on Hub restart, and the only sources of information to do that are the database and JupyterHub configuration file(s).
 ## How does JupyterHub use the database?
 JupyterHub makes some _unusual_ choices in how it connects to the database.
 These choices represent trade-offs favoring single-process simplicity and performance at the expense of horizontal scalability (multiple Hub instances).
 We often say that the Hub 'owns' the database.
 This ownership means that we assume the Hub is the only process that will talk to the database.
 This assumption enables us to make several caching optimizations that dramatically improve JupyterHub's performance (i.e. data written recently to the database can be read from memory instead of fetched again from the database) that would not work if multiple processes could be interacting with the database at the same time.
 Database operations are also synchronous, so while JupyterHub is waiting on a database operation, it cannot respond to other requests.
 This allows us to avoid complex locking mechanisms, because transaction races can only occur during an `await`, so we only need to make sure we've completed any given transaction before the next `await` in a given request.
 :::{note}
 We are slowly working to remove these assumptions, and moving to a more traditional db session per-request pattern.
 This will enable multiple Hub instances and enable scaling JupyterHub, but will significantly reduce the number of active users a single Hub instance can serve.
 :::
 ### Database performance in a typical request
 Most authenticated requests to JupyterHub involve a few database transactions:
 1. look up the authenticated user (e.g. look up token by hash, then resolve owner and permissions)
 2. record activity
 3. perform any relevant changes involved in processing the request (e.g. create the records for a running server when starting one)
 This means that the database is involved in almost every request, but only in quite small, simple queries, e.g.:
 - lookup one token by hash
 - lookup one user by name
 - list tokens or servers for one user (typically 1-10)
 - etc.
 ### The database as a limiting factor
 As a result of the above transactions in most requests, database performance is the _leading_ factor in JupyterHub's baseline requests-per-second performance, but that cost does not scale significantly with the number of users, active or otherwise.
 However, the database is _rarely_ a limiting factor in JupyterHub performance in a practical sense, because the main thing JupyterHub does is start, stop, and monitor whole servers, which take far more time than any small database transaction, no matter how many records you have or how slow your database is (within reason).
 Additionally, there is usually _very_ little load on the database itself.
 By far the most taxing activity on the database is the 'list all users' endpoint, primarily used by the [idle-culling service](https://github.com/jupyterhub/jupyterhub-idle-culler).
 Database-based optimizations have been added to make even these operations feasible for large numbers of users:
 1. State filtering on [GET /hub/api/users?state=active](../reference/rest-api.html#/default/get_users){.external},
   which limits the number of results in the query to only the relevant subset (added in JupyterHub 1.3), rather than all users.
 2. [Pagination](api-pagination) of all list endpoints, allowing the request of a large number of resources to be more fairly balanced with other Hub activities across multiple requests (added in 2.0).
 :::{note}
 It's important to note when discussing performance and limiting factors and that all of this only applies to requests to `/hub/...`.
 The Hub and its database are not involved in most requests to single-user servers (`/user/...`), which is by design, and largely motivated by the fact that the Hub itself doesn't _need_ to be fast because its operations are infrequent and large.
 :::
 ## Database backends
 JupyterHub supports a variety of database backends via [SQLAlchemy][].
 The default is sqlite, which works great for many cases, but you should be able to use many backends supported by SQLAlchemy.
 Usually, this will mean PostgreSQL or MySQL, both of which are officially supported and well tested with JupyterHub, but others may work as well.
 See [SQLAlchemy's docs][sqlalchemy-dialect] for how to connect to different database backends.
 Doing so generally involves:
 1. installing a Python package that provides a client implementation, and
 2. setting [](JupyterHub.db_url) to connect to your database with the specified implementation
 [sqlalchemy-dialect]: https://docs.sqlalchemy.org/en/20/dialects/
 [sqlalchemy]: https://www.sqlalchemy.org
 ### Default backend: SQLite
 The default database backend for JupyterHub is [SQLite](https://sqlite.org).
 We have chosen SQLite as JupyterHub's default because it's simple (the 'database' is a single file) and ubiquitous (it is in the Python standard library).
 It works very well for testing, small deployments, and workshops.
 For production systems, SQLite has some disadvantages when used with JupyterHub:
 - `upgrade-db` may not always work, and you may need to start with a fresh database
 - `downgrade-db` **will not** work if you want to rollback to an earlier
  version, so backup the `jupyterhub.sqlite` file before upgrading (JupyterHub automatically creates a date-stamped backup file when upgrading sqlite)
 The sqlite documentation provides a helpful page about [when to use SQLite and
 where traditional RDBMS may be a better choice](https://sqlite.org/whentouse.html).
 ### Picking your database backend (PostgreSQL, MySQL)
 When running a long term deployment or a production system, we recommend using a full-fledged relational database, such as [PostgreSQL](https://www.postgresql.org) or [MySQL](https://www.mysql.com), that supports the SQL `ALTER TABLE` statement, which is used in some database upgrade steps.
 In general, you select your database backend with [](JupyterHub.db_url), and can further configure it (usually not necessary) with [](JupyterHub.db_kwargs).
 ## Notes and Tips
 ### SQLite
 The SQLite database should not be used on NFS. SQLite uses reader/writer locks
 to control access to the database. This locking mechanism might not work
 correctly if the database file is kept on an NFS filesystem. This is because
 `fcntl()` file locking is broken on many NFS implementations. Therefore, you
 should avoid putting SQLite database files on NFS since it will not handle well
 multiple processes which might try to access the file at the same time.
 ### PostgreSQL
 We recommend using PostgreSQL for production if you are unsure whether to use
 MySQL or PostgreSQL or if you do not have a strong preference.
 There is additional configuration required for MySQL that is not needed for PostgreSQL.
 For example, to connect to a postgres database with psycopg2:
 1. install psycopg2: `pip instal psycopg2` (or `psycopg2-binary` to avoid compilation, which is [not recommended for production][psycopg2-binary])
 2. set authentication via environment variables `PGUSER` and `PGPASSWORD`
 3. configure [](JupyterHub.db_url):
   ```python
   c.JupyterHub.db_url = "postgres+psycopg2://my-postgres-server:5432/my-db-name"
   ```
 [psycopg2-binary]: https://www.psycopg.org/docs/install.html#psycopg-vs-psycopg-binary
 ### MySQL / MariaDB
 - You should probably use the `pymysql` or `mysqlclient` sqlalchemy provider, or another backend [recommended by sqlalchemy](https://docs.sqlalchemy.org/en/20/dialects/mysql.html#dialect-mysql)
 - You also need to set `pool_recycle` to some value (typically 60 - 300, JupyterHub will default to 60)
  which depends on your MySQL setup. This is necessary since MySQL kills
  connections serverside if they've been idle for a while, and the connection
  from the hub will be idle for longer than most connections. This behavior
  will lead to frustrating 'the connection has gone away' errors from
  sqlalchemy if `pool_recycle` is not set.
 - If you use `utf8mb4` collation with MySQL earlier than 5.7.7 or MariaDB
  earlier than 10.2.1 you may get an `1709, Index column size too large` error.
  To fix this you need to set `innodb_large_prefix` to enabled and
  `innodb_file_format` to `Barracuda` to allow for the index sizes jupyterhub
  uses. `row_format` will be set to `DYNAMIC` as long as those options are set
  correctly. Later versions of MariaDB and MySQL should set these values by
  default, as well as have a default `DYNAMIC` `row_format` and pose no trouble
  to users.
 For example, to connect to a mysql database with mysqlclient:
 1. install mysqlclient: `pip install mysqlclient`
 2. configure [](JupyterHub.db_url):
   ```python
   c.JupyterHub.db_url = "mysql+mysqldb://myuser:mypassword@my-sql-server:3306/my-db-name"
   ```
--- a/docs/source/explanation/index.md
+++ b/docs/source/explanation/index.md
@@ -1,14 +0,0 @@
 # Explanation
 _Explanation_ documentation provide big-picture descriptions of how JupyterHub works. This section is meant to build your understanding of particular topics.
 ```{toctree}
 :maxdepth: 1
 capacity-planning
 database
 websecurity
 oauth
 singleuser
 ../rbac/index
 ```
--- a/docs/source/explanation/oauth.md
+++ b/docs/source/explanation/oauth.md
@@ -1,373 +0,0 @@
 # JupyterHub and OAuth
 JupyterHub uses [OAuth 2](https://oauth.net/2/) as an internal mechanism for authenticating users.
 As such, JupyterHub itself always functions as an OAuth **provider**.
 You can find out more about what that means [below](oauth-terms).
 Additionally, JupyterHub is _often_ deployed with [OAuthenticator](https://oauthenticator.readthedocs.io),
 where an external identity provider, such as GitHub or KeyCloak, is used to authenticate users.
 When this is the case, there are _two_ nested OAuth flows:
 an _internal_ OAuth flow where JupyterHub is the **provider**,
 and an _external_ OAuth flow, where JupyterHub is the **client**.
 This means that when you are using JupyterHub, there is always _at least one_ and often two layers of OAuth involved in a user logging in and accessing their server.
 The following points are noteworthy:
 - Single-user servers _never_ need to communicate with or be aware of the upstream provider configured in your Authenticator.
  As far as the servers are concerned, only JupyterHub is an OAuth provider,
  and how users authenticate with the Hub itself is irrelevant.
 - When interacting with a single-user server,
  there are ~always two tokens:
  first, a token issued to the server itself to communicate with the Hub API,
  and second, a per-user token in the browser to represent the completed login process and authorized permissions.
  More on this [later](two-tokens).
 (oauth-terms)=
 ## Key OAuth terms
 Here are some key definitions to keep in mind when we are talking about OAuth.
 You can also read more in detail [here](https://www.oauth.com/oauth2-servers/definitions/).
 - **provider**: The entity responsible for managing identity and authorization;
  always a web server.
  JupyterHub is _always_ an OAuth provider for JupyterHub's components.
  When OAuthenticator is used, an external service, such as GitHub or KeyCloak, is also an OAuth provider.
 - **client**: An entity that requests OAuth **tokens** on a user's behalf;
  generally a web server of some kind.
  OAuth **clients** are services that _delegate_ authentication and/or authorization
  to an OAuth **provider**.
  JupyterHub _services_ or single-user _servers_ are OAuth **clients** of the JupyterHub **provider**.
  When OAuthenticator is used, JupyterHub is itself _also_ an OAuth **client** for the external OAuth **provider**, e.g. GitHub.
 - **browser**: A user's web browser, which makes requests and stores things like cookies.
 - **token**: The secret value used to represent a user's authorization. This is the final product of the OAuth process.
 - **code**: A short-lived temporary secret that the **client** exchanges
  for a **token** at the conclusion of OAuth,
  in what's generally called the "OAuth callback handler."
 ## One oauth flow
 OAuth **flow** is what we call the sequence of HTTP requests involved in authenticating a user and issuing a token, ultimately used for authorizing access to a service or single-user server.
 A single OAuth flow typically goes like this:
 ### OAuth request and redirect
 1. A **browser** makes an HTTP request to an OAuth **client**.
 2. There are no credentials, so the client _redirects_ the browser to an "authorize" page on the OAuth **provider** with some extra information:
   - the OAuth **client ID** of the client itself.
   - the **redirect URI** to be redirected back to after completion.
   - the **scopes** requested, which the user should be presented with to confirm.
     This is the "X would like to be able to Y on your behalf. Allow this?" page you see on all the "Login with ..." pages around the Internet.
 3. During this authorize step,
   the browser must be _authenticated_ with the provider.
   This is often already stored in a cookie,
   but if not the provider webapp must begin its _own_ authentication process before serving the authorization page.
   This _may_ even begin another OAuth flow!
 4. After the user tells the provider that they want to proceed with the authorization,
   the provider records this authorization in a short-lived record called an **OAuth code**.
 5. Finally, the oauth provider redirects the browser _back_ to the oauth client's "redirect URI"
   (or "OAuth callback URI"),
   with the OAuth code in a URL parameter.
 That marks the end of the requests made between the **browser** and the **provider**.
 ### State after redirect
 At this point:
 - The browser is authenticated with the _provider_.
 - The user's authorized permissions are recorded in an _OAuth code_.
 - The _provider_ knows that the permissions requested by the OAuth client have been granted, but the client doesn't know this yet.
 - All the requests so far have been made directly by the browser.
  No requests have originated from the client or provider.
 ### OAuth Client Handles Callback Request
 At this stage, we get to finish the OAuth process.
 Let's dig into what the OAuth client does when it handles
 the OAuth callback request.
 - The OAuth client receives the _code_ and makes an API request to the _provider_ to exchange the code for a real _token_.
  This is the first direct request between the OAuth _client_ and the _provider_.
 - Once the token is retrieved, the client _usually_
  makes a second API request to the _provider_
  to retrieve information about the owner of the token (the user).
  This is the step where behavior diverges for different OAuth providers.
  Up to this point, all OAuth providers are the same, following the OAuth specification.
  However, OAuth does not define a standard for issuing tokens in exchange for information about their owner or permissions ([OpenID Connect](https://openid.net/connect/) does that),
  so this step may be different for each OAuth provider.
 - Finally, the OAuth client stores its own record that the user is authorized in a cookie.
  This could be the token itself, or any other appropriate representation of successful authentication.
 - Now that credentials have been established,
  the browser can be redirected to the _original_ URL where it started,
  to try the request again.
  If the client wasn't able to keep track of the original URL all this time
  (not always easy!),
  you might end up back at a default landing page instead of where you started the login process. This is frustrating!
 😮‍💨 _phew_.
 So that's _one_ OAuth process.
 ## Full sequence of OAuth in JupyterHub
 Let's go through the above OAuth process in JupyterHub,
 with specific examples of each HTTP request and what information it contains.
 For bonus points, we are using the double-OAuth example of JupyterHub configured with GitHubOAuthenticator.
 To disambiguate, we will call the OAuth process where JupyterHub is the **provider** "internal OAuth,"
 and the one with JupyterHub as a **client** "external OAuth."
 Our starting point:
 - a user's single-user server is running. Let's call them `danez`
 - Jupyterhub is running with GitHub as an OAuth provider (this means two full instances of OAuth),
 - Danez has a fresh browser session with no cookies yet.
 First request:
 - browser->single-user server running JupyterLab or Jupyter Classic
 - `GET /user/danez/notebooks/mynotebook.ipynb`
 - no credentials, so single-user server (as an OAuth **client**) starts internal OAuth process with JupyterHub (the **provider**)
 - response: 302 redirect -> `/hub/api/oauth2/authorize`
  with:
  - client-id=`jupyterhub-user-danez`
  - redirect-uri=`/user/danez/oauth_callback` (we'll come back later!)
 Second request, following redirect:
 - browser->JupyterHub
 - `GET /hub/api/oauth2/authorize`
 - no credentials, so JupyterHub starts external OAuth process _with GitHub_
 - response: 302 redirect -> `https://github.com/login/oauth/authorize`
  with:
  - client-id=`jupyterhub-client-uuid`
  - redirect-uri=`/hub/oauth_callback` (we'll come back later!)
 _pause_ This is where JupyterHub configuration comes into play.
 Recall, in this case JupyterHub is using:
 ```python
 c.JupyterHub.authenticator_class = 'github'
 ```
 That means authenticating a request to the Hub itself starts
 a _second_, external OAuth process with GitHub as a provider.
 This external OAuth process is optional, though.
 If you were using the default username+password PAMAuthenticator,
 this redirect would have been to `/hub/login` instead, to present the user
 with a login form.
 Third request, following redirect:
 - browser->GitHub
 - `GET https://github.com/login/oauth/authorize`
 Here, GitHub prompts for login and asks for confirmation of authorization
 (more redirects if you aren't logged in to GitHub yet, but ultimately back to this `/authorize` URL).
 After successful authorization
 (either by looking up a pre-existing authorization,
 or recording it via form submission)
 GitHub issues an **OAuth code** and redirects to `/hub/oauth_callback?code=github-code`
 Next request:
 - browser->JupyterHub
 - `GET /hub/oauth_callback?code=github-code`
 Inside the callback handler, JupyterHub makes two API requests:
 The first:
 - JupyterHub->GitHub
 - `POST https://github.com/login/oauth/access_token`
 - request made with OAuth **code** from URL parameter
 - response includes an access **token**
 The second:
 - JupyterHub->GitHub
 - `GET https://api.github.com/user`
 - request made with access **token** in the `Authorization` header
 - response is the user model, including username, email, etc.
 Now the external OAuth callback request completes with:
 - set cookie on `/hub/` path, recording jupyterhub authentication so we don't need to do external OAuth with GitHub again for a while
 - redirect -> `/hub/api/oauth2/authorize`
 🎉 At this point, we have completed our first OAuth flow! 🎉
 Now, we get our first repeated request:
 - browser->jupyterhub
 - `GET /hub/api/oauth2/authorize`
 - this time with credentials,
  so jupyterhub either
  1. serves the internal authorization confirmation page, or
  2. automatically accepts authorization (shortcut taken when a user is visiting their own server)
 - redirect -> `/user/danez/oauth_callback?code=jupyterhub-code`
 Here, we start the same OAuth callback process as before, but at Danez's single-user server for the _internal_ OAuth.
 - browser->single-user server
 - `GET /user/danez/oauth_callback`
 (in handler)
 Inside the internal OAuth callback handler,
 Danez's server makes two API requests to JupyterHub:
 The first:
 - single-user server->JupyterHub
 - `POST /hub/api/oauth2/token`
 - request made with oauth code from url parameter
 - response includes an API token
 The second:
 - single-user server->JupyterHub
 - `GET /hub/api/user`
 - request made with token in the `Authorization` header
 - response is the user model, including username, groups, etc.
 Finally completing `GET /user/danez/oauth_callback`:
 - response sets cookie, storing encrypted access token
 - _finally_ redirects back to the original `/user/danez/notebooks/mynotebook.ipynb`
 Final request:
 - browser -> single-user server
 - `GET /user/danez/notebooks/mynotebook.ipynb`
 - encrypted jupyterhub token in cookie
 To authenticate this request, the single token stored in the encrypted cookie is passed to the Hub for verification:
 - single-user server -> Hub
 - `GET /hub/api/user`
 - browser's token in Authorization header
 - response: user model with name, groups, etc.
 If the user model matches who should be allowed (e.g. Danez),
 then the request is allowed.
 See [Scopes in JupyterHub](jupyterhub-scopes) for how JupyterHub uses scopes to determine authorized access to servers and services.
 _the end_
 ## Token caches and expiry
 Because tokens represent information from an external source,
 they can become 'stale,'
 or the information they represent may no longer be accurate.
 For example: a user's GitHub account may no longer be authorized to use JupyterHub,
 that should ultimately propagate to revoking access and force logging in again.
 To handle this, OAuth tokens and the various places they are stored can _expire_,
 which should have the same effect as no credentials,
 and trigger the authorization process again.
 In JupyterHub's internal OAuth, we have these layers of information that can go stale:
 - The OAuth client has a **cache** of Hub responses for tokens,
  so it doesn't need to make API requests to the Hub for every request it receives.
  This cache has an expiry of five minutes by default,
  and is governed by the configuration `HubAuth.cache_max_age` in the single-user server.
 - The internal OAuth token is stored in a cookie, which has its own expiry (default: 14 days),
  governed by `JupyterHub.cookie_max_age_days`.
 - The internal OAuth token itself can also expire,
  which is by default the same as the cookie expiry,
  since it makes sense for the token itself and the place it is stored to expire at the same time.
  This is governed by `JupyterHub.cookie_max_age_days` first,
  or can overridden by `JupyterHub.oauth_token_expires_in`.
 That's all for _internal_ auth storage,
 but the information from the _external_ authentication provider
 (could be PAM or GitHub OAuth, etc.) can also expire.
 Authenticator configuration governs when JupyterHub needs to ask again,
 triggering the external login process anew before letting a user proceed.
 - `jupyterhub-hub-login` cookie stores that a browser is authenticated with the Hub.
  This expires according to `JupyterHub.cookie_max_age_days` configuration,
  with a default of 14 days.
  The `jupyterhub-hub-login` cookie is encrypted with `JupyterHub.cookie_secret`
  configuration.
 - {meth}`.Authenticator.refresh_user` is a method to refresh a user's auth info.
  By default, it does nothing, but it can return an updated user model if a user's information has changed,
  or force a full login process again if needed.
 - {attr}`.Authenticator.auth_refresh_age` configuration governs how often
  `refresh_user()` will be called to check if a user must login again (default: 300 seconds).
 - {attr}`.Authenticator.refresh_pre_spawn` configuration governs whether
  `refresh_user()` should be called prior to spawning a server,
  to force fresh auth info when a server is launched (default: False).
  This can be useful when Authenticators pass access tokens to spawner environments, to ensure they aren't getting a stale token that's about to expire.
 **So what happens when these things expire or get stale?**
 - If the HubAuth **token response cache** expires,
  when a request is made with a token,
  the Hub is asked for the latest information about the token.
  This usually has no visible effect, since it is just refreshing a cache.
  If it turns out that the token itself has expired or been revoked,
  the request will be denied.
 - If the token has expired, but is still in the cookie:
  when the token response cache expires,
  the next time the server asks the hub about the token,
  no user will be identified and the internal OAuth process begins again.
 - If the token _cookie_ expires, the next browser request will be made with no credentials,
  and the internal OAuth process will begin again.
  This will usually have the form of a transparent redirect browsers won't notice.
  However, if this occurs on an API request in a long-lived page visit
  such as a JupyterLab session, the API request may fail and require
  a page refresh to get renewed credentials.
 - If the _JupyterHub_ cookie expires, the next time the browser makes a request to the Hub,
  the Hub's authorization process must begin again (e.g. login with GitHub).
  Hub cookie expiry on its own **does not** mean that a user can no longer access their single-user server!
 - If credentials from the upstream provider (e.g. GitHub) become stale or outdated,
  these will not be refreshed until/unless `refresh_user` is called
  _and_ `refresh_user()` on the given Authenticator is implemented to perform such a check.
  At this point, few Authenticators implement `refresh_user` to support this feature.
  If your Authenticator does not or cannot implement `refresh_user`,
  the only way to force a check is to reset the `JupyterHub.cookie_secret` encryption key,
  which invalidates the `jupyterhub-hub-login` cookie for all users.
 ### Logging out
 Logging out of JupyterHub means clearing and revoking many of these credentials:
 - The `jupyterhub-hub-login` cookie is revoked, meaning the next request to the Hub itself will require a new login.
 - The token stored in the `jupyterhub-user-username` cookie for the single-user server
  will be revoked, based on its associaton with `jupyterhub-session-id`, but the _cookie itself cannot be cleared at this point_
 - The shared `jupyterhub-session-id` is cleared, which ensures that the HubAuth **token response cache** will not be used,
  and the next request with the expired token will ask the Hub, which will inform the single-user server that the token has expired
 ## Extra bits
 (two-tokens)=
 ### A tale of two tokens
 **TODO**: discuss API token issued to server at startup ($JUPYTERHUB_API_TOKEN)
 and OAuth-issued token in the cookie,
 and some details of how JupyterLab currently deals with that.
 They are different, and JupyterLab should be making requests using the token from the cookie,
 not the token from the server,
 but that is not currently the case.
 ### Redirect loops
 In general, an authenticated web endpoint has this behavior,
 based on the authentication/authorization state of the browser:
 - If authorized, allow the request to happen
 - If authenticated (I know who you are) but not authorized (you are not allowed), fail with a 403 permission denied error
 - If not authenticated, start a redirect process to establish authorization,
  which should end in a redirect back to the original URL to try again.
  **This is why problems in authentication result in redirect loops!**
  If the second request fails to detect the authentication that should have been established during the redirect,
  it will start the authentication redirect process over again,
  and keep redirecting in a loop until the browser balks.
--- a/docs/source/explanation/singleuser.md
+++ b/docs/source/explanation/singleuser.md
@@ -1,109 +0,0 @@
 (singleuser)=
 # The JupyterHub single-user server
 When a user logs into JupyterHub, they get a 'server', which we usually call the **single-user server**, because it's a server that's meant for a single JupyterHub user.
 Each JupyterHub user gets a different one (or more than one!).
 A single-user server is a process running somewhere that is:
 1. accessible over http[s],
 2. authenticated via JupyterHub using OAuth 2.0,
 3. started by a [Spawner](spawners), and
 4. 'owned' by a single JupyterHub user
 ## The single-user server command
 The Spawner's default single-user server startup command, `jupyterhub-singleuser`, launches `jupyter-server`, the same program used when you run `jupyter lab` on your laptop.
 (_It can also launch the legacy `jupyter-notebook` server_).
 That's why JupyterHub looks familiar to folks who are already using Jupyter at home or elsewhere.
 It's the same!
 `jupyterhub-singleuser` _customizes_ that program to change (approximately) one thing: **authenticate requests with JupyterHub**.
 (singleuser-auth)=
 ## Single-user server authentication
 Implementation-wise, JupyterHub single-user servers are a special-case of {ref}`services`
 and as such use the same (OAuth) authentication mechanism (more on OAuth in JupyterHub at [](oauth)).
 This is primarily implemented in the {class}`~.HubOAuth` class.
 This code resides in `jupyterhub.singleuser` subpackage of JupyterHub.
 The main task of this code is to:
 1. resolve a JupyterHub token to a JupyterHub user (authenticate)
 2. check permissions (`access:servers`) for the token to make sure the request should be allowed (authorize)
 3. if not authorized, begin the OAuth process with a redirect to the Hub
 4. after login, store OAuth tokens in a cookie only used by this single-user server
 5. implement logout to clear the cookie
 Most of this is implemented in the {class}`~.HubOAuth` class. `jupyterhub.singleuser` is responsible for _adapting_ the base Jupyter Server to use HubOAuth for these tasks.
 ### JupyterHub authentication extension
 By default, `jupyter-server` uses its own cookie to authenticate.
 If that cookie is not present, the server redirects you a login page and asks you to enter a password or token.
 Jupyter Server 2.0 introduces two new _APIs_ for customizing authentication: the [IdentityProvider](inv:jupyter-server#jupyter_server.auth.IdentityProvider) and the [Authorizer](inv:jupyter-server#jupyter_server.auth.Authorizer).
 More information can be found in the [Jupyter Server documentation](https://jupyter-server.readthedocs.io).
 JupyterHub implements these APIs in `jupyterhub.singleuser.extension`.
 The IdentityProvider is responsible for _authenticating_ requests.
 In JupyterHub, that means extracting OAuth tokens from the request and resolving them to a JupyterHub user.
 The Authorizer is a _separate_ API for _authorizing_ actions on particular resources.
 Because the JupyterHub IdentityProvider only allows _authenticating_ users who already have the necessary `access:servers` permission to access the server, the default Authorizer only contains a redundant check for this same permission, and ignores the resource inputs.
 However, specifying a _custom_ Authorizer allows for granular permissions, such as read-only access to subsets of a shared server.
 ### JupyterHub authentication via subclass
 Prior to Jupyter Server 2 (i.e. Jupyter Server 1.x or the legacy `jupyter-notebook` server), JupyterHub authentication is applied via _subclass_.
 Originally a subclass of `NotebookApp`,
 this approach works with both `jupyter-server` and `jupyter-notebook`.
 Instead of using the extension mechanisms above,
 the server application is _subclassed_. This worked well in the `jupyter-notebook` days,
 but doesn't fit well with Jupyter Server's extension-based architecture.
 ### Selecting jupyterhub-singleuser implementation
 Using the JupyterHub singleuser-server extension is the default behavior of JupyterHub 4 and Jupyter Server 2, otherwise the subclass approach is taken.
 You can opt-out of the extension by setting the environment variable `JUPYTERHUB_SINGLEUSER_EXTENSION=0`:
 ```python
 c.Spawner.environment.update(
    {
        "JUPYTERHUB_SINGLEUSER_EXTENSION": "0",
    }
 )
 ```
 The subclass approach will also be taken if you've opted to use the classic notebook server with:
 ```
 JUPYTERHUB_SINGLEUSER_APP=notebook
 ```
 which was introduced in JupyterHub 2.
 ## Other customizations
 `jupyterhub-singleuser` makes other small customizations to how the single-user server behaves:
 1. logs activity on the single-user server, used in [idle-culling](https://github.com/jupyterhub/jupyterhub-idle-culler).
 2. disables some features that don't make sense in JupyterHub (trash, retrying ports)
 3. loading options such as URLs and SSL configuration from the environment
 4. customize logging for consistency with JupyterHub logs
 ## Running a single-user server that's not `jupyterhub-singleuser`
 By default, `jupyterhub-singleuser` is the same `jupyter-server` used by JupyterLab, Jupyter notebook (>= 7), etc.
 But technically, all JupyterHub cares about is that it is:
 1. an http server at the prescribed URL, accessible from the Hub and proxy, and
 2. authenticated via [OAuth](oauth) with the Hub (it doesn't even have to do this, if you want to do your own authentication, as is done in BinderHub)
 which means that you can customize JupyterHub to launch _any_ web application that meets these criteria, by following the specifications in {ref}`services`.
 Most of the time, though, it's easier to use [jupyter-server-proxy](https://jupyter-server-proxy.readthedocs.io) if you want to launch additional web applications in JupyterHub.
--- a/docs/source/faq/faq.md
+++ b/docs/source/faq/faq.md
@@ -1,76 +0,0 @@
 # Frequently asked questions
 ## How do I share links to notebooks?
 Sharing links to notebooks is a common activity,
 and can look different depending on what you mean by 'share.'
 Your first instinct might be to copy the URL you see in the browser,
 e.g. `jupyterhub.example/user/yourname/notebooks/coolthing.ipynb`,
 but this usually won't work, depending on the permissions of the person you share the link with.
 Unfortunately, 'share' means at least a few things to people in a JupyterHub context.
 We'll cover 3 common cases here, when they are applicable, and what assumptions they make:
 1. sharing links that will open the same file on the visitor's own server
 2. sharing links that will bring the visitor to _your_ server (e.g. for real-time collaboration, or RTC)
 3. publishing notebooks and sharing links that will download the notebook into the user's server
 ### link to the same file on the visitor's server
 This is for the case where you have JupyterHub on a shared (or sufficiently similar) filesystem, where you want to share a link that will cause users to login and start their _own_ server, to view or edit the file.
 **Assumption:** the same path on someone else's server is valid and points to the same file
 This is useful in e.g. classes where you know students have certain files in certain locations, or collaborations where you know you have a shared filesystem where everyone has access to the same files.
 A link should look like `https://jupyterhub.example/hub/user-redirect/lab/tree/foo.ipynb`.
 You can hand-craft these URLs from the URL you are looking at, where you see `/user/name/lab/tree/foo.ipynb` use `/hub/user-redirect/lab/tree/foo.ipynb` (replace `/user/name/` with `/hub/user-redirect/`).
 Or you can use JupyterLab's "copy shareable link" in the context menu in the file browser:
 ![copy shareable link in JupyterLab](../images/shareable_link.webp)
 which will produce a correct URL with `/hub/user-redirect/` in it.
 ### link to the file on your server
 This is for the case where you want to both be using _your_ server, e.g. for real-time collaboration (RTC).
 **Assumption:** the user has (or should have) access to your server.
 **Assumption:** your server is running _or_ the user has permission to start it.
 By default, JupyterHub users don't have access to each other's servers, but JupyterHub 2.0 administrators can grant users limited access permissions to each other's servers.
 If the visitor doesn't have access to the server, these links will result in a 403 Permission Denied error.
 In many cases, for this situation you can copy the link in your URL bar (`/user/yourname/lab`), or you can add `/tree/path/to/specific/notebook.ipynb` to open a specific file.
 The [jupyterlab-link-share] JupyterLab extension generates these links, and even can _grant_ other users access to your server.
 [jupyterlab-link-share]: https://github.com/jupyterlab-contrib/jupyterlab-link-share
 :::{warning}
 Note that the way the extension _grants_ access is handing over credentials to allow the other user to **_BECOME YOU_**.
 This is usually not appropriate in JupyterHub.
 :::
 ### link to a published copy
 Another way to 'share' notebooks is to publish copies, e.g. pushing the notebook to a git repository and sharing a download link.
 This way is especially useful for course materials,
 where no assumptions are necessary about the user's environment,
 except for having one package installed.
 **Assumption:** The [nbgitpuller](inv:nbgitpuller#index) server extension is installed
 Unlike the other two methods, nbgitpuller doesn't provide an extension to copy a shareable link for the document you're currently looking at,
 but it does provide a [link generator](inv:nbgitpuller#link),
 which uses the `user-redirect` approach above.
 When visiting an nbgitpuller link:
 - The visitor will be directed to their own server
 - Your repo will be cloned (or updated if it's already been cloned)
 - and then the file opened when it's ready
 [nbgitpuller]: https://nbgitpuller.readthedocs.io
 [nbgitpuller-link]: https://nbgitpuller.readthedocs.io/en/latest/link.html
--- a/docs/source/faq/index.md
+++ b/docs/source/faq/index.md
@@ -1,11 +0,0 @@
 # FAQs
 Find answers to some of the most frequently-asked questions around JupyterHub and how it works.
 ```{toctree}
 :maxdepth: 2
 faq
 institutional-faq
 troubleshooting
 ```
--- a/docs/source/reference/gallery-jhub-deployments.md
+++ b/docs/source/reference/gallery-jhub-deployments.md
@@ -1,5 +1,3 @@
 (gallery-of-deployments)=
 # A Gallery of JupyterHub Deployments
 **A JupyterHub Community Resource**
@@ -22,13 +20,13 @@ Please submit pull requests to update information or to add new institutions or
  - [GitHub organization](https://github.com/data-8)
- [NERSC](https://www.nersc.gov/)
+- [NERSC](http://www.nersc.gov/)
-  - [Press release on Jupyter and Cori](https://www.nersc.gov/news-publications/nersc-news/nersc-center-news/2016/jupyter-notebooks-will-open-up-new-possibilities-on-nerscs-cori-supercomputer/)
+  - [Press release on Jupyter and Cori](http://www.nersc.gov/news-publications/nersc-news/nersc-center-news/2016/jupyter-notebooks-will-open-up-new-possibilities-on-nerscs-cori-supercomputer/)
  - [Moving and sharing data](https://www.nersc.gov/assets/Uploads/03-MovingAndSharingData-Cholia.pdf)
- [Research IT](https://research-it.berkeley.edu)
+- [Research IT](http://research-it.berkeley.edu)
-  - [JupyterHub server supports campus research computation](https://research-it.berkeley.edu/blog/17/01/24/free-fully-loaded-jupyterhub-server-supports-campus-research-computation)
+  - [JupyterHub server supports campus research computation](http://research-it.berkeley.edu/blog/17/01/24/free-fully-loaded-jupyterhub-server-supports-campus-research-computation)
 ### University of California Davis
@@ -63,39 +61,28 @@ easy to do with RStudio too.
 - [jupyterhub-deploy-teaching](https://github.com/jupyterhub/jupyterhub-deploy-teaching) based on work by Brian Granger for Cal Poly's Data Science 301 Course
 ### CERN
 [CERN](https://home.cern/), also known as the European Organization for Nuclear Research, is a world-renowned scientific research centre and the home of the Large Hadron Collider (LHC).
 Within CERN, there are two noteworthy JupyterHub deployments in operation:
 - [SWAN](https://swan.web.cern.ch/swan/), which stands for Service for Web based Analysis, serves as an interactive data analysis platform primarily utilized at CERN.
 - [VRE](https://vre-hub.github.io/), which stands for Virtual Research Environment, is an analysis platform developed within the [EOSC Project](https://eoscfuture.eu/) to cater to the needs of scientific communities involved in European projects.
 ### Chameleon
 [Chameleon](https://www.chameleoncloud.org) is a NSF-funded configurable experimental environment for large-scale computer science systems research with [bare metal reconfigurability](https://chameleoncloud.readthedocs.io/en/latest/technical/baremetal.html). Chameleon users utilize JupyterHub to document and reproduce their complex CISE and networking experiments.
 - [Shared JupyterHub](https://jupyter.chameleoncloud.org): provides a common "workbench" environment for any Chameleon user.
 - [Trovi](https://www.chameleoncloud.org/experiment/share): a sharing portal of experiments, tutorials, and examples, which users can launch as a dedicated isolated environments on Chameleon's JupyterHub.
 ### Clemson University
 - Advanced Computing
-  - [Palmetto cluster and JupyterHub](https://citi.sites.clemson.edu/2016/08/18/JupyterHub-for-Palmetto-Cluster.html)
+  - [Palmetto cluster and JupyterHub](http://citi.sites.clemson.edu/2016/08/18/JupyterHub-for-Palmetto-Cluster.html)
 ### University of Colorado Boulder
 - (CU Research Computing) CURC
-  - [JupyterHub User Guide](https://curc.readthedocs.io/en/latest/gateways/jupyterhub.html)
+  - [JupyterHub User Guide](https://www.rc.colorado.edu/support/user-guide/jupyterhub.html)
    - Slurm job dispatched on Crestone compute cluster
    - log troubleshooting
    - Profiles in IPython Clusters tab
  - [Parallel Processing with JupyterHub tutorial](https://www.rc.colorado.edu/support/examples-and-tutorials/parallel-processing-with-jupyterhub.html)
  - [Parallel Programming with JupyterHub document](https://www.rc.colorado.edu/book/export/html/833)
 - Earth Lab at CU
  - [Tutorial on Parallel R on JupyterHub](https://earthdatascience.org/tutorials/parallel-r-on-jupyterhub/)
 ### George Washington University
- [JupyterHub](https://go.gwu.edu/jupyter) with university single-sign-on. Deployed early 2017.
+- [Jupyter Hub](http://go.gwu.edu/jupyter) with university single-sign-on. Deployed early 2017.
 ### HTCondor
@@ -103,11 +90,11 @@ Within CERN, there are two noteworthy JupyterHub deployments in operation:
 ### University of Illinois
- https://datascience.business.illinois.edu (currently down; checked 10/26/22)
+- https://datascience.business.illinois.edu (currently down; checked 04/26/19)
 ### IllustrisTNG Simulation Project
- [JupyterHub/Lab-based analysis platform, part of the TNG public data release](https://www.tng-project.org/data/)
+- [JupyterHub/Lab-based analysis platform, part of the TNG public data release](http://www.tng-project.org/data/)
 ### MIT and Lincoln Labs
@@ -127,12 +114,16 @@ Within CERN, there are two noteworthy JupyterHub deployments in operation:
 ### Paderborn University
- [Data Science (DICE) group](https://dice-research.org)
+- [Data Science (DICE) group](https://dice.cs.uni-paderborn.de/)
  - [nbgraderutils](https://github.com/dice-group/nbgraderutils): Use JupyterHub + nbgrader + iJava kernel for online Java exercises. Used in lecture Statistical Natural Language Processing.
 ### Penn State University
- [Press release](https://news.psu.edu/story/523093/2018/05/24/new-open-source-web-apps-available-students-and-faculty): "New open-source web apps available for students and faculty"
+- [Press release](https://news.psu.edu/story/523093/2018/05/24/new-open-source-web-apps-available-students-and-faculty): "New open-source web apps available for students and faculty" (but Hub is currently down; checked 04/26/19)
 ### University of Rochester CIRC
 - [JupyterHub Userguide](https://info.circ.rochester.edu/Web_Applications/JupyterHub.html) - Slurm, beehive
 ### University of California San Diego
@@ -146,7 +137,7 @@ Within CERN, there are two noteworthy JupyterHub deployments in operation:
  - [Sample deployment of Jupyterhub in HPC on SDSC Comet](https://zonca.github.io/2017/02/sample-deployment-jupyterhub-hpc.html)
 - Educational Technology Services - Paul Jamason
-  - [datahub.ucsd.edu](https://datahub.ucsd.edu)
+  - [jupyterhub.ucsd.edu](https://jupyterhub.ucsd.edu)
 ### TACC University of Texas
@@ -158,13 +149,13 @@ Within CERN, there are two noteworthy JupyterHub deployments in operation:
 ### Elucidata
 - What's new in Jupyter Notebooks @[Elucidata](https://elucidata.io/):
-  - [Using Jupyter Notebooks with Jupyterhub on GCP, managed by GKE](https://medium.com/elucidata/why-you-should-be-using-a-jupyter-notebook-8385a4ccd93d)
+  - Using Jupyter Notebooks with Jupyterhub on GCP, managed by GKE - https://medium.com/elucidata/why-you-should-be-using-a-jupyter-notebook-8385a4ccd93d
 ## Service Providers
 ### AWS
- [Run Jupyter Notebook and JupyterHub on Amazon EMR](https://aws.amazon.com/blogs/big-data/running-jupyter-notebook-and-jupyterhub-on-amazon-emr/)
+- [running-jupyter-notebook-and-jupyterhub-on-amazon-emr](https://aws.amazon.com/blogs/big-data/running-jupyter-notebook-and-jupyterhub-on-amazon-emr/)
 ### Google Cloud Platform
@@ -177,12 +168,12 @@ Within CERN, there are two noteworthy JupyterHub deployments in operation:
 ### Microsoft Azure
- [Azure Data Science Virtual Machine release notes](https://docs.microsoft.com/en-us/azure/machine-learning/machine-learning-data-science-linux-dsvm-intro)
+- https://docs.microsoft.com/en-us/azure/machine-learning/machine-learning-data-science-linux-dsvm-intro
 ### Rackspace Carina
 - https://getcarina.com/blog/learning-how-to-whale/
- https://carolynvanslyck.com/talk/carina/jupyterhub/#/ (but carolynvanslyck is currently down; checked 10/26/22)
+- http://carolynvanslyck.com/talk/carina/jupyterhub/#/
 ### Hadoop
@@ -191,13 +182,13 @@ Within CERN, there are two noteworthy JupyterHub deployments in operation:
 ## Miscellaneous
 - https://medium.com/@ybarraud/setting-up-jupyterhub-with-sudospawner-and-anaconda-844628c0dbee#.rm3yt87e1
- [Mailing list UT deployment](https://groups.google.com/g/jupyter/c/nkPSEeMr8c0)
+- https://groups.google.com/forum/#!topic/jupyter/nkPSEeMr8c0 Mailing list UT deployment
- [JupyterHub setup on Centos](https://gist.github.com/johnrc/604971f7d41ebf12370bf5729bf3e0a4)
+- JupyterHub setup on Centos https://gist.github.com/johnrc/604971f7d41ebf12370bf5729bf3e0a4
- [Deploy JupyterHub to Docker Swarm](https://jupyterhub.surge.sh)
+- Deploy JupyterHub to Docker Swarm https://jupyterhub.surge.sh/#/welcome
- https://www.laketide.com/building-your-lab-part-3/
+- http://www.laketide.com/building-your-lab-part-3/
- https://estrellita.hatenablog.com/entry/2015/07/31/083202
+- http://estrellita.hatenablog.com/entry/2015/07/31/083202
- https://www.walkingrandomly.com/?p=5734
+- http://www.walkingrandomly.com/?p=5734
 - https://wrdrd.com/docs/consulting/education-technology
 - https://bitbucket.org/jackhale/fenics-jupyter
 - [LinuxCluster blog](https://linuxcluster.wordpress.com/category/application/jupyterhub/)
- [Spark Cluster on OpenStack with Multi-User Jupyter Notebook](https://arnesund.com/2015/09/21/spark-cluster-on-openstack-with-multi-user-jupyter-notebook/)
+- [Network Technology](https://arnesund.com/tag/jupyterhub/) [Spark Cluster on OpenStack with Multi-User Jupyter Notebook](https://arnesund.com/2015/09/21/spark-cluster-on-openstack-with-multi-user-jupyter-notebook/)
--- a/docs/source/tutorial/getting-started/authenticators-users-basics.md
+++ b/docs/source/tutorial/getting-started/authenticators-users-basics.md
@@ -1,12 +1,10 @@
 (authenticators)=
 # Authentication and User Basics
-The default Authenticator uses [PAM][] (Pluggable Authentication Module) to authenticate system users with
+The default Authenticator uses [PAM][] to authenticate system users with
-their usernames and passwords. With the default Authenticator, any user
+their username and password. With the default Authenticator, any user
 with an account and password on the system will be allowed to login.
-## Create a set of allowed users (`allowed_users`)
+## Create a set of allowed users
 You can restrict which users are allowed to login with a set,
 `Authenticator.allowed_users`:
@@ -18,19 +16,8 @@ c.Authenticator.allowed_users = {'mal', 'zoe', 'inara', 'kaylee'}
 Users in the `allowed_users` set are added to the Hub database when the Hub is
 started.
 ```{warning}
 If this configuration value is not set, then **all authenticated users will be allowed into your hub**.
 ```
 ## Configure admins (`admin_users`)
 ```{note}
 As of JupyterHub 2.0, the full permissions of `admin_users`
 should not be required.
 Instead, you can assign [roles](define-role-target) to users or groups
 with only the scopes they require.
 ```
 Admin users of JupyterHub, `admin_users`, can add and remove users from
 the user `allowed_users` set. `admin_users` can take actions on other users'
 behalf, such as stopping and restarting their servers.
@@ -44,10 +31,10 @@ c.Authenticator.admin_users = {'mal', 'zoe'}
 Users in the admin set are automatically added to the user `allowed_users` set,
 if they are not already present.
-Each Authenticator may have different ways of determining whether a user is an
+Each authenticator may have different ways of determining whether a user is an
-administrator. By default, JupyterHub uses the PAMAuthenticator which provides the
+administrator. By default JupyterHub uses the PAMAuthenticator which provides the
 `admin_groups` option and can set administrator status based on a user
-group. For example, we can let any user in the `wheel` group be an admin:
+group. For example we can let any user in the `wheel` group be admin:
 ```python
 c.PAMAuthenticator.admin_groups = {'wheel'}
@@ -59,12 +46,12 @@ Since the default `JupyterHub.admin_access` setting is `False`, the admins
 do not have permission to log in to the single user notebook servers
 owned by _other users_. If `JupyterHub.admin_access` is set to `True`,
 then admins have permission to log in _as other users_ on their
-respective machines for debugging. **As a courtesy, you should make
+respective machines, for debugging. **As a courtesy, you should make
 sure your users know if admin_access is enabled.**
 ## Add or remove users from the Hub
-Users can be added to and removed from the Hub via the admin
+Users can be added to and removed from the Hub via either the admin
 panel or the REST API. When a user is **added**, the user will be
 automatically added to the `allowed_users` set and database. Restarting the Hub
 will not require manually updating the `allowed_users` set in your config file,
@@ -78,12 +65,12 @@ fresh.
 ## Use LocalAuthenticator to create system users
-The `LocalAuthenticator` is a special kind of Authenticator that has
+The `LocalAuthenticator` is a special kind of authenticator that has
 the ability to manage users on the local system. When you try to add a
 new user to the Hub, a `LocalAuthenticator` will check if the user
 already exists. If you set the configuration value, `create_system_users`,
 to `True` in the configuration file, the `LocalAuthenticator` has
-the ability to add users to the system. The setting in the config
+the privileges to add users to the system. The setting in the config
 file is:
 ```python
@@ -93,7 +80,7 @@ c.LocalAuthenticator.create_system_users = True
 Adding a user to the Hub that doesn't already exist on the system will
 result in the Hub creating that user via the system `adduser` command
 line tool. This option is typically used on hosted deployments of
-JupyterHub to avoid the need to manually create all your users before
+JupyterHub, to avoid the need to manually create all your users before
 launching the service. This approach is not recommended when running
 JupyterHub in situations where JupyterHub users map directly onto the
 system's UNIX users.
@@ -103,25 +90,25 @@ system's UNIX users.
 JupyterHub's [OAuthenticator][] currently supports the following
 popular services:
- [Auth0](https://oauthenticator.readthedocs.io/en/latest/reference/api/gen/oauthenticator.auth0.html)
+- Auth0
- [Azure AD](https://oauthenticator.readthedocs.io/en/latest/reference/api/gen/oauthenticator.azuread.html)
+- Azure AD
- [Bitbucket](https://oauthenticator.readthedocs.io/en/latest/reference/api/gen/oauthenticator.bitbucket.html)
+- Bitbucket
- [CILogon](https://oauthenticator.readthedocs.io/en/latest/reference/api/gen/oauthenticator.cilogon.html)
+- CILogon
- [GitHub](https://oauthenticator.readthedocs.io/en/latest/reference/api/gen/oauthenticator.github.html)
+- GitHub
- [GitLab](https://oauthenticator.readthedocs.io/en/latest/reference/api/gen/oauthenticator.gitlab.html)
+- GitLab
- [Globus](https://oauthenticator.readthedocs.io/en/latest/reference/api/gen/oauthenticator.globus.html)
+- Globus
- [Google](https://oauthenticator.readthedocs.io/en/latest/reference/api/gen/oauthenticator.google.html)
+- Google
- [MediaWiki](https://oauthenticator.readthedocs.io/en/latest/reference/api/gen/oauthenticator.mediawiki.html)
+- MediaWiki
- [Okpy](https://oauthenticator.readthedocs.io/en/latest/reference/api/gen/oauthenticator.okpy.html)
+- Okpy
- [OpenShift](https://oauthenticator.readthedocs.io/en/latest/reference/api/gen/oauthenticator.openshift.html)
+- OpenShift
-A [generic implementation](https://oauthenticator.readthedocs.io/en/latest/reference/api/gen/oauthenticator.generic.html), which you can use for OAuth authentication
+A generic implementation, which you can use for OAuth authentication
 with any provider, is also available.
 ## Use DummyAuthenticator for testing
-The `DummyAuthenticator` is a simple Authenticator that
+The `DummyAuthenticator` is a simple authenticator that
-allows for any username or password unless a global password has been set. If
+allows for any username/password unless a global password has been set. If
 set, it will allow for any username as long as the correct password is provided.
 To set a global password, add this to the config file:
--- a/docs/source/tutorial/getting-started/config-basics.md
+++ b/docs/source/tutorial/getting-started/config-basics.md
@@ -1,7 +1,7 @@
 # Configuration Basics
-This section contains basic information about configuring settings for a JupyterHub
+The section contains basic information about configuring settings for a JupyterHub
-deployment. The [Technical Reference](reference-index)
+deployment. The [Technical Reference](../reference/index)
 documentation provides additional details.
 This section will help you learn how to:
@@ -11,8 +11,6 @@ This section will help you learn how to:
 - configure JupyterHub using command line options
 - find information and examples for some common deployments
 (generate-config-file)=
 ## Generate a default config file
 On startup, JupyterHub will look by default for a configuration file,
@@ -46,12 +44,12 @@ jupyterhub -f /etc/jupyterhub/jupyterhub_config.py
 ```
 The IPython documentation provides additional information on the
-[config system](https://ipython.readthedocs.io/en/stable/development/config.html)
+[config system](http://ipython.readthedocs.io/en/stable/development/config.html)
 that Jupyter uses.
 ## Configure using command line options
-To display all command line options that are available for configuration run the following command:
+To display all command line options that are available for configuration:
 ```bash
    jupyterhub --help-all
@@ -79,11 +77,11 @@ jupyterhub --Spawner.notebook_dir='~/assignments'
 ## Configure for various deployment environments
 The default authentication and process spawning mechanisms can be replaced, and
-specific [authenticators](authenticators-users-basics) and
+specific [authenticators](./authenticators-users-basics) and
-[spawners](spawners-basics) can be set in the configuration file.
+[spawners](./spawners-basics) can be set in the configuration file.
 This enables JupyterHub to be used with a variety of authentication methods or
-process control and deployment environments. [Some examples](config-examples),
+process control and deployment environments. [Some examples](../reference/config-examples),
-meant as illustrations, are:
+meant as illustration, are:
 - Using GitHub OAuth instead of PAM with [OAuthenticator](https://github.com/jupyterhub/oauthenticator)
 - Spawning single-user servers with Docker, using the [DockerSpawner](https://github.com/jupyterhub/dockerspawner)
@@ -99,4 +97,4 @@ maintenance, re-configuration, etc.), then user connections are not
 interrupted. For simplicity, by default the hub starts the proxy
 automatically, so if the hub restarts, the proxy restarts, and user
 connections are interrupted. It is easy to run the proxy separately,
-for information see [the separate proxy page](separate-proxy).
+for information see [the separate proxy page](../reference/separate-proxy).
--- a/docs/source/getting-started/faq.md
+++ b/docs/source/getting-started/faq.md
@@ -0,0 +1,35 @@
 # Frequently asked questions
 ### How do I share links to notebooks?
 In short, where you see `/user/name/notebooks/foo.ipynb` use `/hub/user-redirect/notebooks/foo.ipynb` (replace `/user/name` with `/hub/user-redirect`).
 Sharing links to notebooks is a common activity,
 and can look different based on what you mean.
 Your first instinct might be to copy the URL you see in the browser,
 e.g. `hub.jupyter.org/user/yourname/notebooks/coolthing.ipynb`.
 However, let's break down what this URL means:
 `hub.jupyter.org/user/yourname/` is the URL prefix handled by _your server_,
 which means that sharing this URL is asking the person you share the link with
 to come to _your server_ and look at the exact same file.
 In most circumstances, this is forbidden by permissions because the person you share with does not have access to your server.
 What actually happens when someone visits this URL will depend on whether your server is running and other factors.
 But what is our actual goal?
 A typical situation is that you have some shared or common filesystem,
 such that the same path corresponds to the same document
 (either the exact same document or another copy of it).
 Typically, what folks want when they do sharing like this
 is for each visitor to open the same file _on their own server_,
 so Breq would open `/user/breq/notebooks/foo.ipynb` and
 Seivarden would open `/user/seivarden/notebooks/foo.ipynb`, etc.
 JupyterHub has a special URL that does exactly this!
 It's called `/hub/user-redirect/...`.
 So if you replace `/user/yourname` in your URL bar
 with `/hub/user-redirect` any visitor should get the same
 URL on their own server, rather than visiting yours.
 In JupyterLab 2.0, this should also be the result of the "Copy Shareable Link"
 action in the file browser.
--- a/docs/source/getting-started/index.rst
+++ b/docs/source/getting-started/index.rst
@@ -0,0 +1,19 @@
 Get Started
 ===========
 This section covers how to configure and customize JupyterHub for your
 needs. It contains information about authentication, networking, security, and
 other topics that are relevant to individuals or organizations deploying their
 own JupyterHub.
 .. toctree::
   :maxdepth: 2
   config-basics
   networking-basics
   security-basics
   authenticators-users-basics
   spawners-basics
   services-basics
   faq
   institutional-faq
--- a/docs/source/getting-started/institutional-faq.md
+++ b/docs/source/getting-started/institutional-faq.md
@@ -8,16 +8,10 @@ broken down by their roles within organizations.
 ### Is it appropriate for adoption within a larger institutional context?
 Yes! JupyterHub has been used at-scale for large pools of users, as well
-as complex and high-performance computing.
+as complex and high-performance computing. For example, UC Berkeley uses
-For example,
+JupyterHub for its Data Science Education Program courses (serving over
-
+3,000 students). The Pangeo project uses JupyterHub to provide access
- UC Berkeley uses
+to scalable cloud computing with Dask. JupyterHub is stable and customizable
  JupyterHub for its Data Science Education Program courses (serving over
  3,000 students).
 - The Pangeo project uses JupyterHub to provide access
  to scalable cloud computing with Dask.
 JupyterHub is stable and customizable
 to the use-cases of large organizations.
 ### I keep hearing about Jupyter Notebook, JupyterLab, and now JupyterHub. What’s the difference?
@@ -32,7 +26,7 @@ Here is a quick breakdown of these three tools:
  has several extensions that are tailored for using Jupyter Notebooks, as well as extensions
  for other parts of the data science stack.
 - **JupyterHub** is an application that manages interactive computing sessions for **multiple users**.
-  It also connects users with infrastructure they wish to access. It can provide
+  It also connects them with infrastructure those users wish to access. It can provide
  remote access to Jupyter Notebooks and JupyterLab for many people.
 ## For management
@@ -41,7 +35,7 @@ Here is a quick breakdown of these three tools:
 JupyterHub provides a shared platform for data science and collaboration.
 It allows users to utilize familiar data science workflows (such as the scientific Python stack,
-the R tidyverse, and Jupyter Notebooks) on institutional infrastructure. It also gives administrators
+the R tidyverse, and Jupyter Notebooks) on institutional infrastructure. It also allows administrators
 some control over access to resources, security, environments, and authentication.
 ### Is JupyterHub mature? Why should we trust it?
@@ -66,12 +60,12 @@ Here is a sample of organizations that use JupyterHub:
 - **Universities and colleges**: UC Berkeley, UC San Diego, Cal Poly SLO, Harvard University, University of Chicago,
  University of Oslo, University of Sheffield, Université Paris Sud, University of Versailles
 - **Research laboratories**: NASA, NCAR, NOAA, the Large Synoptic Survey Telescope, Brookhaven National Lab,
-  Minnesota Supercomputing Institute, ALCF, CERN, Lawrence Livermore National Laboratory, HUNT
+  Minnesota Supercomputing Institute, ALCF, CERN, Lawrence Livermore National Laboratory
 - **Online communities**: Pangeo, Quantopian, mybinder.org, MathHub, Open Humans
 - **Computing infrastructure providers**: NERSC, San Diego Supercomputing Center, Compute Canada
 - **Companies**: Capital One, SANDVIK code, Globus
-See the [Gallery of JupyterHub deployments](gallery-of-deployments) for
+See the [Gallery of JupyterHub deployments](../gallery-jhub-deployments.md) for
 a more complete list of JupyterHub deployments at institutions.
 ### How does JupyterHub compare with hosted products, like Google Colaboratory, RStudio.cloud, or Anaconda Enterprise?
@@ -84,7 +78,7 @@ gives administrators more control over their setup and hardware.
 Because JupyterHub is an open-source, community-driven tool, it can be extended and
 modified to fit an institution's needs. It plays nicely with the open source data science
-stack, and can serve a variety of computing environments, user interfaces, and
+stack, and can serve a variety of computing enviroments, user interfaces, and
 computational hardware. It can also be deployed anywhere - on enterprise cloud infrastructure, on
 High-Performance-Computing machines, on local hardware, or even on a single laptop, which
 is not possible with most other tools for shared interactive computing.
@@ -105,12 +99,12 @@ that we currently suggest are:
  guide that runs on Kubernetes. Better for larger or dynamic user groups (50-10,000) or more complex
  compute/data needs.
 - [The Littlest JupyterHub](https://tljh.jupyter.org) is a lightweight JupyterHub that runs on a single
-  machine (in the cloud or under your desk). Better for smaller user groups (4-80) or more
+  single machine (in the cloud or under your desk). Better for smaller user groups (4-80) or more
  lightweight computational resources.
 ### Does JupyterHub run well in the cloud?
-**Yes** - most deployments of JupyterHub are run via cloud infrastructure and on a variety of cloud providers.
+Yes - most deployments of JupyterHub are run via cloud infrastructure and on a variety of cloud providers.
 Depending on the distribution of JupyterHub that you'd like to use, you can also connect your JupyterHub
 deployment with a number of other cloud-native services so that users have access to other resources from
 their interactive computing sessions.
@@ -124,15 +118,14 @@ as more resources are needed - allowing you to utilize the benefits of a flexibl
 ### Is JupyterHub secure?
-The short answer: yes.
+The short answer: yes. JupyterHub as a standalone application has been battle-tested at an institutional
 JupyterHub as a standalone application has been battle-tested at an institutional
 level for several years, and makes a number of "default" security decisions that are reasonable for most
 users.
 - For security considerations in the base JupyterHub application,
-  [see the JupyterHub security page](web-security).
+  [see the JupyterHub security page](https://jupyterhub.readthedocs.io/en/stable/reference/websecurity.html).
 - For security considerations when deploying JupyterHub on Kubernetes, see the
-  [JupyterHub on Kubernetes security page](https://z2jh.jupyter.org/en/latest/security.html).
+  [JupyterHub on Kubernetes security page](https://zero-to-jupyterhub.readthedocs.io/en/latest/security.html).
 The longer answer: it depends on your deployment. Because JupyterHub is very flexible, it can be used
 in a variety of deployment setups. This often entails connecting your JupyterHub to **other** infrastructure
@@ -141,11 +134,11 @@ in these cases, and the security of your JupyterHub deployment will often depend
 If you are worried about security, don't hesitate to reach out to the JupyterHub community in the
 [Jupyter Community Forum](https://discourse.jupyter.org/c/jupyterhub). This community of practice has many
-individuals with experience running secure JupyterHub deployments and will be very glad to help you out.
+individuals with experience running secure JupyterHub deployments.
 ### Does JupyterHub provide computing or data infrastructure?
-**No** - JupyterHub manages user sessions and can _control_ computing infrastructure, but it does not provide these
+No - JupyterHub manages user sessions and can _control_ computing infrastructure, but it does not provide these
 things itself. You are expected to run JupyterHub on your own infrastructure (local or in the cloud). Moreover,
 JupyterHub has no internal concept of "data", but is designed to be able to communicate with data repositories
 (again, either locally or remotely) for use within interactive computing sessions.
@@ -198,7 +191,7 @@ complex computing infrastructures from the interactive sessions of a JupyterHub.
 This is highly configurable by the administrator. If you wish for your users to have simple
 data analytics environments for prototyping and light data exploring, you can restrict their
 memory and CPU based on the resources that you have available. If you'd like your JupyterHub
-to serve as a gateway to high-performance computing or data resources, you may increase the
+to serve as a gateway to high-performance compute or data resources, you may increase the
 resources available on user machines, or connect them with computing infrastructures elsewhere.
 ### Can I customize the look and feel of a JupyterHub?
--- a/docs/source/tutorial/getting-started/networking-basics.md
+++ b/docs/source/tutorial/getting-started/networking-basics.md
@@ -41,9 +41,9 @@ port.
 ## Set the Proxy's REST API communication URL (optional)
-By default, the proxy's REST API listens on port 8081 of `localhost` only.
+By default, this REST API listens on port 8001 of `localhost` only.
-The Hub service talks to the proxy via a REST API on a secondary port.
+The Hub service talks to the proxy via a REST API on a secondary port. The
-The REST API URL (hostname and port) can be configured separately and override the default settings.
+API URL can be configured separately to override the default settings.
 ### Set api_url
--- a/docs/source/getting-started/security-basics.rst
+++ b/docs/source/getting-started/security-basics.rst
@@ -0,0 +1,261 @@
 Security settings
 =================
 .. important::
   You should not run JupyterHub without SSL encryption on a public network.
 Security is the most important aspect of configuring Jupyter. Three
 configuration settings are the main aspects of security configuration:
 1. :ref:`SSL encryption <ssl-encryption>` (to enable HTTPS)
 2. :ref:`Cookie secret <cookie-secret>` (a key for encrypting browser cookies)
 3. Proxy :ref:`authentication token <authentication-token>` (used for the Hub and
   other services to authenticate to the Proxy)
 The Hub hashes all secrets (e.g., auth tokens) before storing them in its
 database. A loss of control over read-access to the database should have
 minimal impact on your deployment; if your database has been compromised, it
 is still a good idea to revoke existing tokens.
 .. _ssl-encryption:
 Enabling SSL encryption
 -----------------------
 Since JupyterHub includes authentication and allows arbitrary code execution,
 you should not run it without SSL (HTTPS).
 Using an SSL certificate
 ~~~~~~~~~~~~~~~~~~~~~~~~
 This will require you to obtain an official, trusted SSL certificate or create a
 self-signed certificate. Once you have obtained and installed a key and
 certificate you need to specify their locations in the ``jupyterhub_config.py``
 configuration file as follows:
 .. code-block:: python
    c.JupyterHub.ssl_key = '/path/to/my.key'
    c.JupyterHub.ssl_cert = '/path/to/my.cert'
 Some cert files also contain the key, in which case only the cert is needed. It
 is important that these files be put in a secure location on your server, where
 they are not readable by regular users.
 If you are using a **chain certificate**, see also chained certificate for SSL
 in the JupyterHub `Troubleshooting FAQ <../troubleshooting.html>`_.
 Using letsencrypt
 ~~~~~~~~~~~~~~~~~
 It is also possible to use `letsencrypt <https://letsencrypt.org/>`_ to obtain
 a free, trusted SSL certificate. If you run letsencrypt using the default
 options, the needed configuration is (replace ``mydomain.tld`` by your fully
 qualified domain name):
 .. code-block:: python
    c.JupyterHub.ssl_key = '/etc/letsencrypt/live/{mydomain.tld}/privkey.pem'
    c.JupyterHub.ssl_cert = '/etc/letsencrypt/live/{mydomain.tld}/fullchain.pem'
 If the fully qualified domain name (FQDN) is ``example.com``, the following
 would be the needed configuration:
 .. code-block:: python
    c.JupyterHub.ssl_key = '/etc/letsencrypt/live/example.com/privkey.pem'
    c.JupyterHub.ssl_cert = '/etc/letsencrypt/live/example.com/fullchain.pem'
 If SSL termination happens outside of the Hub
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 In certain cases, for example if the hub is running behind a reverse proxy, and
 `SSL termination is being provided by NGINX <https://www.nginx.com/resources/admin-guide/nginx-ssl-termination/>`_,
 it is reasonable to run the hub without SSL.
 To achieve this, simply omit the configuration settings
 ``c.JupyterHub.ssl_key`` and ``c.JupyterHub.ssl_cert``
 (setting them to ``None`` does not have the same effect, and is an error).
 .. _authentication-token:
 Proxy authentication token
 --------------------------
 The Hub authenticates its requests to the Proxy using a secret token that
 the Hub and Proxy agree upon. Note that this applies to the default
 ``ConfigurableHTTPProxy`` implementation. Not all proxy implementations
 use an auth token.
 The value of this token should be a random string (for example, generated by
 ``openssl rand -hex 32``). You can store it in the configuration file or an
 environment variable
 Generating and storing token in the configuration file
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 You can set the value in the configuration file, ``jupyterhub_config.py``:
 .. code-block:: python
    c.ConfigurableHTTPProxy.api_token = 'abc123...' # any random string
 Generating and storing as an environment variable
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 You can pass this value of the proxy authentication token to the Hub and Proxy
 using the ``CONFIGPROXY_AUTH_TOKEN`` environment variable:
 .. code-block:: bash
    export CONFIGPROXY_AUTH_TOKEN=$(openssl rand -hex 32)
 This environment variable needs to be visible to the Hub and Proxy.
 Default if token is not set
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 If you don't set the Proxy authentication token, the Hub will generate a random
 key itself, which means that any time you restart the Hub you **must also
 restart the Proxy**. If the proxy is a subprocess of the Hub, this should happen
 automatically (this is the default configuration).
 .. _cookie-secret:
 Cookie secret
 -------------
 The cookie secret is an encryption key, used to encrypt the browser cookies
 which are used for authentication. Three common methods are described for
 generating and configuring the cookie secret.
 Generating and storing as a cookie secret file
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 The cookie secret should be 32 random bytes, encoded as hex, and is typically
 stored in a ``jupyterhub_cookie_secret`` file. An example command to generate the
 ``jupyterhub_cookie_secret`` file is:
 .. code-block:: bash
    openssl rand -hex 32 > /srv/jupyterhub/jupyterhub_cookie_secret
 In most deployments of JupyterHub, you should point this to a secure location on
 the file system, such as ``/srv/jupyterhub/jupyterhub_cookie_secret``.
 The location of the ``jupyterhub_cookie_secret`` file can be specified in the
 ``jupyterhub_config.py`` file as follows:
 .. code-block:: python
    c.JupyterHub.cookie_secret_file = '/srv/jupyterhub/jupyterhub_cookie_secret'
 If the cookie secret file doesn't exist when the Hub starts, a new cookie
 secret is generated and stored in the file. The file must not be readable by
 ``group`` or ``other`` or the server won't start. The recommended permissions
 for the cookie secret file are ``600`` (owner-only rw).
 Generating and storing as an environment variable
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 If you would like to avoid the need for files, the value can be loaded in the
 Hub process from the ``JPY_COOKIE_SECRET`` environment variable, which is a
 hex-encoded string. You can set it this way:
 .. code-block:: bash
    export JPY_COOKIE_SECRET=$(openssl rand -hex 32)
 For security reasons, this environment variable should only be visible to the
 Hub. If you set it dynamically as above, all users will be logged out each time
 the Hub starts.
 Generating and storing as a binary string
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 You can also set the cookie secret in the configuration file
 itself, ``jupyterhub_config.py``, as a binary string:
 .. code-block:: python
    c.JupyterHub.cookie_secret = bytes.fromhex('64 CHAR HEX STRING')
 .. important::
   If the cookie secret value changes for the Hub, all single-user notebook
   servers must also be restarted.
 .. _cookies:
 Cookies used by JupyterHub authentication
 -----------------------------------------
 The following cookies are used by the Hub for handling user authentication.
 This section was created based on this post_ from Discourse.
 .. _post: https://discourse.jupyter.org/t/how-to-force-re-login-for-users/1998/6
 jupyterhub-hub-login
 ~~~~~~~~~~~~~~~~~~~~
 This is the login token used when visiting Hub-served pages that are
 protected by authentication such as the main home, the spawn form, etc.
 If this cookie is set, then the user is logged in.
 Resetting the Hub cookie secret effectively revokes this cookie.
 This cookie is restricted to the path ``/hub/``.
 jupyterhub-user-<username>
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 This is the cookie used for authenticating with a single-user server.
 It is set by the single-user server after OAuth with the Hub.
 Effectively the same as ``jupyterhub-hub-login``, but for the
 single-user server instead of the Hub. It contains an OAuth access token,
 which is checked with the Hub to authenticate the browser.
 Each OAuth access token is associated with a session id (see ``jupyterhub-session-id`` section
 below).
 To avoid hitting the Hub on every request, the authentication response
 is cached. And to avoid a stale cache the cache key is comprised of both
 the token and session id.
 Resetting the Hub cookie secret effectively revokes this cookie.
 This cookie is restricted to the path ``/user/<username>``, so that
 only the user’s server receives it.
 jupyterhub-session-id
 ~~~~~~~~~~~~~~~~~~~~~
 This is a random string, meaningless in itself, and the only cookie
 shared by the Hub and single-user servers.
 Its sole purpose is to coordinate logout of the multiple OAuth cookies.
 This cookie is set to ``/`` so all endpoints can receive it, or clear it, etc.
 jupyterhub-user-<username>-oauth-state
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 A short-lived cookie, used solely to store and validate OAuth state.
 It is only set while OAuth between the single-user server and the Hub
 is processing.
 If you use your browser development tools, you should see this cookie
 for a very brief moment before your are logged in,
 with an expiration date shorter than ``jupyterhub-hub-login`` or
 ``jupyterhub-user-<username>``.
 This cookie should not exist after you have successfully logged in.
 This cookie is restricted to the path ``/user/<username>``, so that only
 the user’s server receives it.
--- a/docs/source/tutorial/getting-started/services-basics.md
+++ b/docs/source/tutorial/getting-started/services-basics.md
@@ -14,7 +14,7 @@ document will:
 - explain some basic information about API tokens
 - clarify that API tokens can be used to authenticate to
-  single-user servers as of [version 0.8.0](changelog)
+  single-user servers as of [version 0.8.0](../changelog)
 - show how the [jupyterhub_idle_culler][] script can be:
  - used in a Hub-managed service
  - run as a standalone script
@@ -24,31 +24,31 @@ Hub via the REST API.
 ## API Token basics
-### Step 1: Generate an API token
+### Create an API token
 To run such an external service, an API token must be created and
 provided to the service.
-As of [version 0.6.0](changelog), the preferred way of doing
+As of [version 0.6.0](../changelog), the preferred way of doing
 this is to first generate an API token:
 ```bash
 openssl rand -hex 32
 ```
-In [version 0.8.0](changelog), a TOKEN request page for
+In [version 0.8.0](../changelog), a TOKEN request page for
 generating an API token is available from the JupyterHub user interface:
-![Request API TOKEN page](/images/token-page.png)
+![Request API TOKEN page](../images/token-request.png)
-![API TOKEN success page](/images/token-request-success.png)
+![API TOKEN success page](../images/token-request-success.png)
-### Step 2: Pass environment variable with token to the Hub
+### Pass environment variable with token to the Hub
 In the case of `cull_idle_servers`, it is passed as the environment
 variable called `JUPYTERHUB_API_TOKEN`.
-### Step 3: Use API tokens for services and tasks that require external access
+### Use API tokens for services and tasks that require external access
 While API tokens are often associated with a specific user, API tokens
 can be used by services that require external access for activities
@@ -62,12 +62,12 @@ c.JupyterHub.services = [
 ]
 ```
-### Step 4: Restart JupyterHub
+### Restart JupyterHub
 Upon restarting JupyterHub, you should see a message like below in the
 logs:
-```none
+```
 Adding API token for <username>
 ```
@@ -78,55 +78,34 @@ single-user servers, and only cookies can be used for authentication.
 0.8 supports using JupyterHub API tokens to authenticate to single-user
 servers.
-## How to configure the idle culler to run as a Hub-Managed Service
+## Configure the idle culler to run as a Hub-Managed Service
-### Step 1: Install the idle culler:
+Install the idle culler:
 ```
 pip install jupyterhub-idle-culler
 ```
-### Step 2: In `jupyterhub_config.py`, add the following dictionary for the `idle-culler` Service to the `c.JupyterHub.services` list:
+In `jupyterhub_config.py`, add the following dictionary for the
 `idle-culler` Service to the `c.JupyterHub.services` list:
 ```python
 c.JupyterHub.services = [
    {
        'name': 'idle-culler',
        'admin': True,
        'command': [sys.executable, '-m', 'jupyterhub_idle_culler', '--timeout=3600'],
    }
 ]
 c.JupyterHub.load_roles = [
    {
        "name": "list-and-cull", # name the role
        "services": [
            "idle-culler", # assign the service to this role
        ],
        "scopes": [
            # declare what permissions the service should have
            "list:users", # list users
            "read:users:activity", # read user last-activity
            "admin:servers", # start/stop servers
        ],
    }
 ]
 ```
 where:
- `command` indicates that the Service will be launched as a
+- `'admin': True` indicates that the Service has 'admin' permissions, and
 - `'command'` indicates that the Service will be launched as a
  subprocess, managed by the Hub.
-```{versionchanged} 2.0
+## Run `cull-idle` manually as a standalone script
 Prior to 2.0, the idle-culler required 'admin' permissions.
 It now needs the scopes:
 - `list:users` to access the user list endpoint
 - `read:users:activity` to read activity info
 - `admin:servers` to start/stop servers
 ```
 ## How to run `cull-idle` manually as a standalone script
 Now you can run your script by providing it
 the API token and it will authenticate through the REST API to
@@ -135,8 +114,7 @@ interact with it.
 This will run the idle culler service manually. It can be run as a standalone
 script anywhere with access to the Hub, and will periodically check for idle
 servers and shut them down via the Hub's REST API. In order to shutdown the
-servers, the token given to `cull-idle` must have permission to list users
+servers, the token given to `cull-idle` must have admin privileges.
 and admin their servers.
 Generate an API token and store it in the `JUPYTERHUB_API_TOKEN` environment
 variable. Run `jupyterhub_idle_culler` manually.
--- a/docs/source/tutorial/getting-started/spawners-basics.md
+++ b/docs/source/tutorial/getting-started/spawners-basics.md
@@ -1,14 +1,12 @@
 (spawners)=
 # Spawners and single-user notebook servers
-A Spawner starts each single-user notebook server. Since the single-user server is an instance of `jupyter notebook`, an entire separate
+Since the single-user server is an instance of `jupyter notebook`, an entire separate
-multi-process application, many aspects of that server can be configured and there are a lot
+multi-process application, there are many aspects of that server that can be configured, and a lot
 of ways to express that configuration.
 At the JupyterHub level, you can set some values on the Spawner. The simplest of these is
 `Spawner.notebook_dir`, which lets you set the root directory for a user's server. This root
-notebook directory is the highest-level directory users will be able to access in the notebook
+notebook directory is the highest level directory users will be able to access in the notebook
 dashboard. In this example, the root notebook directory is set to `~/notebooks`, where `~` is
 expanded to the user's home directory.
@@ -22,7 +20,7 @@ You can also specify extra command line arguments to the notebook server with:
 c.Spawner.args = ['--debug', '--profile=PHYS131']
 ```
-This could be used to set the user's default page for the single-user server:
+This could be used to set the users default page for the single user server:
 ```python
 c.Spawner.args = ['--NotebookApp.default_url=/notebooks/Welcome.ipynb']
--- a/docs/source/howto/api-only.md
+++ b/docs/source/howto/api-only.md
@@ -1,128 +0,0 @@
 (api-only)=
 # Deploying JupyterHub in "API only mode"
 As a service for deploying and managing Jupyter servers for users, JupyterHub
 exposes this functionality _primarily_ via a [REST API](rest).
 For convenience, JupyterHub also ships with a _basic_ web UI built using that REST API.
 The basic web UI enables users to click a button to quickly start and stop their servers,
 and it lets admins perform some basic user and server management tasks.
 The REST API has always provided additional functionality beyond what is available in the basic web UI.
 Similarly, we avoid implementing UI functionality that is also not available via the API.
 With JupyterHub 2.0, the basic web UI will **always** be composed using the REST API.
 In other words, no UI pages should rely on information not available via the REST API.
 Previously, some admin UI functionality could only be achieved via admin pages,
 such as paginated requests.
 ## Limited UI customization via templates
 The JupyterHub UI is customizable via extensible HTML [templates](templates),
 but this has some limited scope to what can be customized.
 Adding some content and messages to existing pages is well supported,
 but changing the page flow and what pages are available are beyond the scope of what is customizable.
 ## Rich UI customization with REST API based apps
 Increasingly, JupyterHub is used purely as an API for managing Jupyter servers
 for other Jupyter-based applications that might want to present a different user experience.
 If you want a fully customized user experience,
 you can now disable the Hub UI and use your own pages together with the JupyterHub REST API
 to build your own web application to serve your users,
 relying on the Hub only as an API for managing users and servers.
 One example of such an application is [BinderHub][], which powers https://mybinder.org,
 and motivates many of these changes.
 BinderHub is distinct from a traditional JupyterHub deployment
 because it uses temporary users created for each launch.
 Instead of presenting a login page,
 users are presented with a form to specify what environment they would like to launch:
 ![Binder launch form](../images/binderhub-form.png)
 When a launch is requested:
 1. an image is built, if necessary
 2. a temporary user is created,
 3. a server is launched for that user, and
 4. when running, users are redirected to an already running server with an auth token in the URL
 5. after the session is over, the user is deleted
 This means that a lot of JupyterHub's UI flow doesn't make sense:
 - there is no way for users to login
 - the human user doesn't map onto a JupyterHub `User` in a meaningful way
 - when a server isn't running, there isn't a 'restart your server' action available because the user has been deleted
 - users do not have any access to any Hub functionality, so presenting pages for those features would be confusing
 BinderHub is one of the motivating use cases for JupyterHub supporting being used _only_ via its API.
 We'll use BinderHub here as an example of various configuration options.
 [binderhub]: https://binderhub.readthedocs.io
 ## Disabling Hub UI
 `c.JupyterHub.hub_routespec` is a configuration option to specify which URL prefix should be routed to the Hub.
 The default is `/` which means that the Hub will receive all requests not already specified to be routed somewhere else.
 There are three values that are most logical for `hub_routespec`:
 - `/` - this is the default, and used in most deployments.
  It is also the only option prior to JupyterHub 1.4.
 - `/hub/` - this serves only Hub pages, both UI and API
 - `/hub/api` - this serves _only the Hub API_, so all Hub UI is disabled,
  aside from the OAuth confirmation page, if used.
 If you choose a hub routespec other than `/`,
 the main JupyterHub feature you will lose is the automatic handling of requests for `/user/:username`
 when the requested server is not running.
 JupyterHub's handling of this request shows this page,
 telling you that the server is not running,
 with a button to launch it again:
 ![screenshot of hub page for server not running](../images/server-not-running.png)
 If you set `hub_routespec` to something other than `/`,
 it is likely that you also want to register another destination for `/` to handle requests to not-running servers.
 If you don't, you will see a default 404 page from the proxy:
 ![screenshot of CHP default 404](../images/chp-404.png)
 For mybinder.org, the default "start my server" page doesn't make sense,
 because when a server is gone, there is no restart action.
 Instead, we provide hints about how to get back to a link to start a _new_ server:
 ![screenshot of mybinder.org 404](../images/binder-404.png)
 To achieve this, mybinder.org registers a route for `/` that goes to a custom endpoint
 that runs nginx and only serves this static HTML error page.
 This is set with
 ```python
 c.Proxy.extra_routes = {
    "/": "http://custom-404-entpoint/",
 }
 ```
 You may want to use an alternate behavior, such as redirecting to a landing page,
 or taking some other action based on the requested page.
 If you use `c.JupyterHub.hub_routespec = "/hub/"`,
 then all the Hub pages will be available,
 and only this default-page-404 issue will come up.
 If you use `c.JupyterHub.hub_routespec = "/hub/api/"`,
 then only the Hub _API_ will be available,
 and all UI will be up to you.
 mybinder.org takes this last option,
 because none of the Hub UI pages really make sense.
 Binder users don't have any reason to know or care that JupyterHub happens
 to be an implementation detail of how their environment is managed.
 Seeing Hub error pages and messages in that situation is more likely to be confusing than helpful.
 :::{versionadded} 1.4
 `c.JupyterHub.hub_routespec` and `c.Proxy.extra_routes` are new in JupyterHub 1.4.
 :::
--- a/docs/source/howto/configuration/config-user-env.md
+++ b/docs/source/howto/configuration/config-user-env.md
@@ -1,263 +0,0 @@
 # Configuring user environments
 To deploy JupyterHub means you are providing Jupyter notebook environments for
 multiple users. Often, this includes a desire to configure the user
 environment in a custom way.
 Since the `jupyterhub-singleuser` server extends the standard Jupyter notebook
 server, most configuration and documentation that applies to Jupyter Notebook
 applies to the single-user environments. Configuration of user environments
 typically does not occur through JupyterHub itself, but rather through system-wide
 configuration of Jupyter, which is inherited by `jupyterhub-singleuser`.
 **Tip:** When searching for configuration tips for JupyterHub user environments, you might want to remove JupyterHub from your search because there are a lot more people out there configuring Jupyter than JupyterHub and the configuration is the same.
 This section will focus on user environments, which includes the following:
 - [Installing packages](#installing-packages)
 - [Configuring Jupyter and IPython](#configuring-jupyter-and-ipython)
 - [Installing kernelspecs](#installing-kernelspecs)
 - [Using containers vs. multi-user hosts](#multi-user-hosts-vs-containers)
 ## Installing packages
 To make packages available to users, you will typically install packages system-wide or in a shared environment.
 This installation location should always be in the same environment where
 `jupyterhub-singleuser` itself is installed in, and must be _readable and
 executable_ by your users. If you want your users to be able to install additional
 packages, the installation location must also be _writable_ by your users.
 If you are using a standard Python installation on your system, use the following command:
 ```bash
 sudo python3 -m pip install numpy
 ```
 to install the numpy package in the default Python 3 environment on your system
 (typically `/usr/local`).
 You may also use conda to install packages. If you do, you should make sure
 that the conda environment has appropriate permissions for users to be able to
 run Python code in the env. The env must be _readable and executable_ by all
 users. Additionally it must be _writeable_ if you want users to install
 additional packages.
 ## Configuring Jupyter and IPython
 [Jupyter](https://jupyter-notebook.readthedocs.io/en/stable/configuring/config_overview.html)
 and [IPython](https://ipython.readthedocs.io/en/stable/development/config.html)
 have their own configuration systems.
 As a JupyterHub administrator, you will typically want to install and configure environments for all JupyterHub users. For example, let's say you wish for each student in a class to have the same user environment configuration.
 Jupyter and IPython support **"system-wide"** locations for configuration, which is the logical place to put global configuration that you want to affect all users. It's generally more efficient to configure user environments "system-wide", and it's a good practice to avoid creating files in the users' home directories.
 The typical locations for these config files are:
 - **system-wide** in `/etc/{jupyter|ipython}`
 - **env-wide** (environment wide) in `{sys.prefix}/etc/{jupyter|ipython}`.
 ### Jupyter environment configuration priority
 When Jupyter runs in an environment (conda or virtualenv), it prefers to load configuration from the environment over each user's own configuration (e.g. in `~/.jupyter`).
 This may cause issues if you use a _shared_ conda environment or virtualenv for users, because e.g. jupyterlab may try to write information like workspaces or settings to the environment instead of the user's own directory.
 This could fail with something like `Permission denied: $PREFIX/etc/jupyter/lab`.
 To avoid this issue, set `JUPYTER_PREFER_ENV_PATH=0` in the user environment:
 ```python
 c.Spawner.environment.update(
    {
        "JUPYTER_PREFER_ENV_PATH": "0",
    }
 )
 ```
 which tells Jupyter to prefer _user_ configuration paths (e.g. in `~/.jupyter`) to configuration set in the environment.
 ### Example: Enable an extension system-wide
 For example, to enable the `cython` IPython extension for all of your users, create the file `/etc/ipython/ipython_config.py`:
 ```python
 c.InteractiveShellApp.extensions.append("cython")
 ```
 ### Example: Enable a Jupyter notebook configuration setting for all users
 :::{note}
 These examples configure the Jupyter ServerApp, which is used by JupyterLab, the default in JupyterHub 2.0.
 If you are using the classing Jupyter Notebook server,
 the same things should work,
 with the following substitutions:
 - Search for `jupyter_server_config`, and replace with `jupyter_notebook_config`
 - Search for `NotebookApp`, and replace with `ServerApp`
 :::
 To enable Jupyter notebook's internal idle-shutdown behavior (requires notebook ≥ 5.4), set the following in the `/etc/jupyter/jupyter_server_config.py` file:
 ```python
 # shutdown the server after no activity for an hour
 c.ServerApp.shutdown_no_activity_timeout = 60 * 60
 # shutdown kernels after no activity for 20 minutes
 c.MappingKernelManager.cull_idle_timeout = 20 * 60
 # check for idle kernels every two minutes
 c.MappingKernelManager.cull_interval = 2 * 60
 ```
 ## Installing kernelspecs
 You may have multiple Jupyter kernels installed and want to make sure that they are available to all of your users. This means installing kernelspecs either system-wide (e.g. in /usr/local/) or in the `sys.prefix` of JupyterHub
 itself.
 Jupyter kernelspec installation is system-wide by default, but some kernels
 may default to installing kernelspecs in your home directory. These will need
 to be moved system-wide to ensure that they are accessible.
 To see where your kernelspecs are, you can use the following command:
 ```bash
 jupyter kernelspec list
 ```
 ### Example: Installing kernels system-wide
 Let's assume that I have a Python 2 and Python 3 environment that I want to make sure are available, I can install their specs **system-wide** (in /usr/local) using the following command:
 ```bash
 /path/to/python3 -m ipykernel install --prefix=/usr/local
 /path/to/python2 -m ipykernel install --prefix=/usr/local
 ```
 ## Multi-user hosts vs. Containers
 There are two broad categories of user environments that depend on what
 Spawner you choose:
 - Multi-user hosts (shared system)
 - Container-based
 How you configure user environments for each category can differ a bit
 depending on what Spawner you are using.
 The first category is a **shared system (multi-user host)** where
 each user has a JupyterHub account, a home directory as well as being
 a real system user. In this example, shared configuration and installation
 must be in a 'system-wide' location, such as `/etc/`, or `/usr/local`
 or a custom prefix such as `/opt/conda`.
 When JupyterHub uses **container-based** Spawners (e.g. KubeSpawner or
 DockerSpawner), the 'system-wide' environment is really the container image used for users.
 In both cases, you want to _avoid putting configuration in user home
 directories_ because users can change those configuration settings. Also, home directories typically persist once they are created, thereby making it difficult for admins to update later.
 ## Named servers
 By default, in a JupyterHub deployment, each user has one server only.
 JupyterHub can, however, have multiple servers per user.
 This is mostly useful in deployments where users can configure the environment in which their server will start (e.g. resource requests on an HPC cluster), so that a given user can have multiple configurations running at the same time, without having to stop and restart their own server.
 To allow named servers, include this code snippet in your config file:
 ```python
 c.JupyterHub.allow_named_servers = True
 ```
 Named servers were implemented in the REST API in JupyterHub 0.8,
 and JupyterHub 1.0 introduces UI for managing named servers via the user home page:
 ![named servers on the home page](/images/named-servers-home.png)
 as well as the admin page:
 ![named servers on the admin page](/images/named-servers-admin.png)
 Named servers can be accessed, created, started, stopped, and deleted
 from these pages. Activity tracking is now per server as well.
 To limit the number of **named server** per user by setting a constant value, include this code snippet in your config file:
 ```python
 c.JupyterHub.named_server_limit_per_user = 5
 ```
 Alternatively, to use a callable/awaitable based on the handler object, include this code snippet in your config file:
 ```python
 def named_server_limit_per_user_fn(handler):
    user = handler.current_user
    if user and user.admin:
        return 0
    return 5
 c.JupyterHub.named_server_limit_per_user = named_server_limit_per_user_fn
 ```
 This can be useful for quota service implementations. The example above limits the number of named servers for non-admin users only.
 If `named_server_limit_per_user` is set to `0`, no limit is enforced.
 When using named servers, Spawners may need additional configuration to take the `servername` into account. Whilst `KubeSpawner` takes the `servername` into account by default in [`pod_name_template`](https://jupyterhub-kubespawner.readthedocs.io/en/latest/spawner.html#kubespawner.KubeSpawner.pod_name_template), other Spawners may not. Check the documentation for the specific Spawner to see how singleuser servers are named, for example in `DockerSpawner` this involves modifying the [`name_template`](https://jupyterhub-dockerspawner.readthedocs.io/en/latest/api/index.html) setting to include `servername`, eg. `"{prefix}-{username}-{servername}"`.
 (classic-notebook-ui)=
 ## Switching back to the classic notebook
 By default, the single-user server launches JupyterLab,
 which is based on [Jupyter Server][].
 This is the default server when running JupyterHub ≥ 2.0.
 To switch to using the legacy Jupyter Notebook server (notebook < 7.0), you can set the `JUPYTERHUB_SINGLEUSER_APP` environment variable
 (in the single-user environment) to:
 ```bash
 export JUPYTERHUB_SINGLEUSER_APP='notebook.notebookapp.NotebookApp'
 ```
 :::{note}
 ```
 JUPYTERHUB_SINGLEUSER_APP='notebook.notebookapp.NotebookApp'
 ```
 is only valid for notebook < 7. notebook v7 is based on jupyter-server,
 and the default jupyter-server application must be used.
 Selecting the new notebook UI is no longer a matter of selecting the server app to launch,
 but only the default URL for users to visit.
 To use notebook v7 with JupyterHub, leave the default singleuser app config alone (or specify `JUPYTERHUB_SINGLEUSER_APP=jupyter-server`) and set the default _URL_ for user servers:
 ```python
 c.Spawner.default_url = '/tree/'
 ```
 :::
 [jupyter server]: https://jupyter-server.readthedocs.io
 [jupyter notebook]: https://jupyter-notebook.readthedocs.io
 :::{versionchanged} 2.0
 JupyterLab is now the default single-user UI, if available,
 which is based on the [Jupyter Server][],
 no longer the legacy [Jupyter Notebook][] server.
 JupyterHub prior to 2.0 launched the legacy notebook server (`jupyter notebook`),
 and the Jupyter server could be selected by specifying the following:
 ```python
 # jupyterhub_config.py
 c.Spawner.cmd = ["jupyter-labhub"]
 ```
 Alternatively, for an otherwise customized Jupyter Server app,
 set the environment variable using the following command:
 ```bash
 export JUPYTERHUB_SINGLEUSER_APP='jupyter_server.serverapp.ServerApp'
 ```
 :::
--- a/docs/source/howto/index.md
+++ b/docs/source/howto/index.md
@@ -1,34 +0,0 @@
 # How-to
 The _How-to_ guides provide practical step-by-step details to help you achieve a particular goal. They are useful when you are trying to get something done but require you to understand and adapt the steps to your specific usecase.
 Use the following guides when:
 ```{toctree}
 :maxdepth: 1
 api-only
 proxy
 rest
 separate-proxy
 templates
 upgrading
 log-messages
 ```
 (config-examples)=
 ## Configuration
 The following guides provide examples, including configuration files and tips, for the
 following:
 ```{toctree}
 :maxdepth: 1
 configuration/config-user-env
 configuration/config-ghoauth
 configuration/config-proxy
 configuration/config-sudo
 ```
--- a/docs/source/howto/log-messages.md
+++ b/docs/source/howto/log-messages.md
@@ -1,72 +0,0 @@
 # Interpreting common log messages
 When debugging errors and outages, looking at the logs emitted by
 JupyterHub is very helpful. This document intends to describe some common
 log messages, what they mean and what are the most common causes that generated them, as well as some possible ways to fix them.
 ## Failing suspected API request to not-running server
 ### Example
 Your logs might be littered with lines that look scary
 ```
 [W 2022-03-10 17:25:19.774 JupyterHub base:1349] Failing suspected API request to not-running server: /hub/user/<user-name>/api/metrics/v1
 ```
 ### Cause
 This likely means that the user's server has stopped running but they
 still have a browser tab open. For example, you might have 3 tabs open and you shut
 the server down via one.
 Another possible reason could be that you closed your laptop and the server was culled for inactivity, then reopened the laptop!
 However, the client-side code (JupyterLab, Classic Notebook, etc) doesn't interpret the shut-down server and continues to make some API requests.
 JupyterHub's architecture means that the proxy routes all requests that
 don't go to a running user server to the hub process itself. The hub
 process then explicitly returns a failure response, so the client knows
 that the server is not running anymore. This is used by JupyterLab to
 inform the user that the server is not running anymore, and provide an option
 to restart it.
 Most commonly, you'll see this in reference to the `/api/metrics/v1`
 URL, used by [jupyter-resource-usage](https://github.com/jupyter-server/jupyter-resource-usage).
 ### Actions you can take
 This log message is benign, and there is usually no action for you to take.
 ## JupyterHub Singleuser Version mismatch
 ### Example
 ```
 jupyterhub version 1.5.0 != jupyterhub-singleuser version 1.3.0. This could cause failure to authenticate and result in redirect loops!
 ```
 ### Cause
 JupyterHub requires the `jupyterhub` python package installed inside the image or
 environment, the user server starts in. This message indicates that the version of
 the `jupyterhub` package installed inside the user image or environment is not
 the same as the JupyterHub server's version itself. This is not necessarily always a
 problem - some version drift is mostly acceptable, and the only two known cases of
 breakage are across the 0.7 and 2.0 version releases. In those cases, issues pop
 up immediately after upgrading your version of JupyterHub, so **always check the JupyterHub
 changelog before upgrading!**. The primary problems this _could_ cause are:
 1. Infinite redirect loops after the user server starts
 2. Missing expected environment variables in the user server once it starts
 3. Failure for the started user server to authenticate with the JupyterHub server -
   note that this is _not_ the same as _user authentication_ failing!
 However, for the most part, unless you are seeing these specific issues, the log
 message should be counted as a warning to get the `jupyterhub` package versions
 aligned, rather than as an indicator of an existing problem.
 ### Actions you can take
 Upgrade the version of the `jupyterhub` package in your user environment or image
 so that it matches the version of JupyterHub running your JupyterHub server! If you
 are using the [zero-to-jupyterhub](https://z2jh.jupyter.org) helm chart, you can find the appropriate
 version of the `jupyterhub` package to install in your user image [here](https://jupyterhub.github.io/helm-chart/)
--- a/docs/source/howto/rest.md
+++ b/docs/source/howto/rest.md
@@ -1,339 +0,0 @@
 (using-jupyterhub-rest-api)=
 # Using JupyterHub's REST API
 This section will give you information on:
 - What you can do with the API
 - How to create an API token
 - Assigning permissions to a token
 - Updating to admin services
 - Making an API request programmatically using the requests library
 - Paginating API requests
 - Enabling users to spawn multiple named-servers via the API
 - Learn more about JupyterHub's API
 Before we discuss about JupyterHub's REST API, you can learn about [REST APIs here](https://en.wikipedia.org/wiki/Representational_state_transfer). A REST
 API provides a standard way for users to get and send information to the
 Hub.
 ## What you can do with the API
 Using the [JupyterHub REST API](jupyterhub-rest-API), you can perform actions on the Hub,
 such as:
 - Checking which users are active
 - Adding or removing users
 - Stopping or starting single user notebook servers
 - Authenticating services
 - Communicating with an individual Jupyter server's REST API
 ## Create an API token
 To send requests using the JupyterHub API, you must pass an API token with
 the request.
 While JupyterHub is running, any JupyterHub user can request a token via the `token` page.
 This is accessible via a `token` link in the top nav bar from the JupyterHub home page,
 or at the URL `/hub/token`.
 :::{figure-md}
 ![token request page](../images/token-page.png)
 JupyterHub's API token page
 :::
 :::{figure-md}
 ![token-request-success](../images/token-request-success.png)
 JupyterHub's token page after successfully requesting a token.
 :::
 ### Register API tokens via configuration
 Sometimes, you'll want to pre-generate a token for access to JupyterHub,
 typically for use by external services,
 so that both JupyterHub and the service have access to the same value.
 First, you need to generate a good random secret.
 A good way of generating an API token is by running:
 ```bash
 openssl rand -hex 32
 ```
 This `openssl` command generates a random token that can be added to the JupyterHub configuration in `jupyterhub_config.py`.
 For external services, this would be registered with JupyterHub via configuration:
 ```python
 c.JupyterHub.services = [
    {
        "name": "my-service",
        "api_token": the_secret_value,
    },
 ]
 ```
 At this point, requests authenticated with the token will be associated with The service `my-service`.
 ```{note}
 You can also load additional tokens for users via the `JupyterHub.api_tokens` configuration.
 However, this option has been deprecated since the introduction of services.
 ```
 ## Assigning permissions to a token
 Prior to JupyterHub 2.0, there were two levels of permissions:
 1. user, and
 2. admin
 where a token would always have full permissions to do whatever its owner could do.
 In JupyterHub 2.0,
 specific permissions are now defined as '**scopes**',
 and can be assigned both at the user/service level,
 and at the individual token level.
 This allows e.g. a user with full admin permissions to request a token with limited permissions.
 ## Updating to admin services
 ```{note}
 The `api_tokens` configuration has been softly deprecated since the introduction of services.
 We have no plans to remove it,
 but deployments are encouraged to use service configuration instead.
 ```
 If you have been using `api_tokens` to create an admin user
 and the token for that user to perform some automations, then
 the services' mechanism may be a better fit if you have the following configuration:
 ```python
 c.JupyterHub.admin_users = {"service-admin"}
 c.JupyterHub.api_tokens = {
    "secret-token": "service-admin",
 }
 ```
 This can be updated to create a service, with the following configuration:
 ```python
 c.JupyterHub.services = [
    {
        # give the token a name
        "name": "service-admin",
        "api_token": "secret-token",
        # "admin": True, # if using JupyterHub 1.x
    },
 ]
 # roles were introduced in JupyterHub 2.0
 # prior to 2.0, only "admin": True or False was available
 c.JupyterHub.load_roles = [
    {
        "name": "service-role",
        "scopes": [
            # specify the permissions the token should have
            "admin:users",
        ],
        "services": [
            # assign the service the above permissions
            "service-admin",
        ],
    }
 ]
 ```
 The token will have the permissions listed in the role
 (see [scopes][] for a list of available permissions),
 but there will no longer be a user account created to house it.
 The main noticeable difference between a user and a service is that there will be no notebook server associated with the account
 and the service will not show up in the various user list pages and APIs.
 ## Make an API request
 To authenticate your requests, pass the API token in the request's
 Authorization header.
 ### Use requests
 Using the popular Python [requests](https://docs.python-requests.org)
 library, an API GET request is made, and the request sends an API token for
 authorization. The response contains information about the users, here's example code to make an API request for the users of a JupyterHub deployment
 ```python
 import requests
 api_url = 'http://127.0.0.1:8081/hub/api'
 r = requests.get(api_url + '/users',
    headers={
        'Authorization': f'token {token}',
    }
 )
 r.raise_for_status()
 users = r.json()
 ```
 This example provides a slightly more complicated request, yet the
 process is very similar:
 ```python
 import requests
 api_url = 'http://127.0.0.1:8081/hub/api'
 data = {'name': 'mygroup', 'users': ['user1', 'user2']}
 r = requests.post(api_url + '/groups/formgrade-data301/users',
    headers={
        'Authorization': f'token {token}',
    },
    json=data,
 )
 r.raise_for_status()
 r.json()
 ```
 The same API token can also authorize access to the [Jupyter Notebook REST API][]
 provided by notebook servers managed by JupyterHub if it has the necessary `access:servers` scope.
 (api-pagination)=
 ## Paginating API requests
 ```{versionadded} 2.0
 ```
 Pagination is available through the `offset` and `limit` query parameters on
 list endpoints, which can be used to return ideally sized windows of results.
 Here's example code demonstrating pagination on the `GET /users`
 endpoint to fetch the first 20 records.
 ```python
 import os
 import requests
 api_url = 'http://127.0.0.1:8081/hub/api'
 r = requests.get(
    api_url + '/users?offset=0&limit=20',
    headers={
        "Accept": "application/jupyterhub-pagination+json",
        "Authorization": f"token {token}",
    },
 )
 r.raise_for_status()
 r.json()
 ```
 For backward-compatibility, the default structure of list responses is unchanged.
 However, this lacks pagination information (e.g. is there a next page),
 so if you have enough users that they won't fit in the first response,
 it is a good idea to opt-in to the new paginated list format.
 There is a new schema for list responses which include pagination information.
 You can request this by including the header:
 ```
 Accept: application/jupyterhub-pagination+json
 ```
 with your request, in which case a response will look like:
 ```python
 {
  "items": [
    {
      "name": "username",
      "kind": "user",
      ...
    },
  ],
  "_pagination": {
    "offset": 0,
    "limit": 20,
    "total": 50,
    "next": {
      "offset": 20,
      "limit": 20,
      "url": "http://127.0.0.1:8081/hub/api/users?limit=20&offset=20"
    }
  }
 }
 ```
 where the list results (same as pre-2.0) will be in `items`,
 and pagination info will be in `_pagination`.
 The `next` field will include the `offset`, `limit`, and `url` for requesting the next page.
 `next` will be `null` if there is no next page.
 Pagination is governed by two configuration options:
 - `JupyterHub.api_page_default_limit` - the page size, if `limit` is unspecified in the request
  and the new pagination API is requested
  (default: 50)
 - `JupyterHub.api_page_max_limit` - the maximum page size a request can ask for (default: 200)
 Pagination is enabled on the `GET /users`, `GET /groups`, and `GET /proxy` REST endpoints.
 ## Enabling users to spawn multiple named-servers via the API
 Support for multiple servers per user was introduced in JupyterHub [version 0.8.](changelog)
 Prior to that, each user could only launch a single default server via the API
 like this:
 ```bash
 curl -X POST -H "Authorization: token <token>" "http://127.0.0.1:8081/hub/api/users/<user>/server"
 ```
 With the named-server functionality, it's now possible to launch more than one
 specifically named servers against a given user. This could be used, for instance,
 to launch each server based on a different image.
 First you must enable named-servers by including the following setting in the `jupyterhub_config.py` file.
 `c.JupyterHub.allow_named_servers = True`
 If you are using the [zero-to-jupyterhub-k8s](https://github.com/jupyterhub/zero-to-jupyterhub-k8s) set-up to run JupyterHub,
 then instead of editing the `jupyterhub_config.py` file directly, you could pass
 the following as part of the `config.yaml` file, as per the [tutorial](https://z2jh.jupyter.org/en/latest/):
 ```bash
 hub:
  extraConfig: |
    c.JupyterHub.allow_named_servers = True
 ```
 With that setting in place, a new named-server is activated like this:
 ```bash
 curl -X POST -H "Authorization: token <token>" "http://127.0.0.1:8081/hub/api/users/<user>/servers/<serverA>"
 curl -X POST -H "Authorization: token <token>" "http://127.0.0.1:8081/hub/api/users/<user>/servers/<serverB>"
 ```
 The same servers can be stopped by substituting `DELETE` for `POST` above.
 ### Some caveats for using named-servers
 For named-servers via the API to work, the spawner used to spawn these servers
 will need to be able to handle the case of multiple servers per user and ensure
 uniqueness of names, particularly if servers are spawned via docker containers
 or kubernetes pods.
 ## Learn more about the API
 You can see the full [JupyterHub REST API](jupyterhub-rest-api) for more details.
 [openapi initiative]: https://www.openapis.org/
 [jupyterhub rest api]: ./rest-api
 [scopes]: ../rbac/scopes.md
 [jupyter notebook rest api]: https://petstore3.swagger.io/?url=https://raw.githubusercontent.com/jupyter/notebook/HEAD/notebook/services/api/api.yaml
--- a/docs/source/howto/upgrading.md
+++ b/docs/source/howto/upgrading.md
@@ -1,141 +0,0 @@
 (upgrading-jupyterhub)=
 # Upgrading JupyterHub
 JupyterHub offers easy upgrade pathways between minor versions. This
 document describes how to do these upgrades.
 If you are using {ref}`a JupyterHub distribution <index/distributions>`, you
 should consult the distribution's documentation on how to upgrade. This documentation is
 for those who have set up their JupyterHub without using a distribution.
 This documentation is lengthy because it is quite detailed. Most likely, upgrading
 JupyterHub is painless, quick and with minimal user interruption.
 The steps are discussed in detail, so if you get stuck at any step you can always refer to this guide.
 ## Read the Changelog
 The [changelog](changelog) contains information on what has
 changed with the new JupyterHub release and any deprecation warnings.
 Read these notes to familiarize yourself with the coming changes. There
 might be new releases of the authenticators & spawners you use, so
 read the changelogs for those too!
 ## Notify your users
 If you use the default configuration where `configurable-http-proxy`
 is managed by JupyterHub, your users will see service disruption during
 the upgrade process. You should notify them, and pick a time to do the
 upgrade where they will be least disrupted.
 If you use a different proxy or run `configurable-http-proxy`
 independent of JupyterHub, your users will be able to continue using notebook
 servers they had already launched, but will not be able to launch new servers or sign in.
 ## Backup database & config
 Before doing an upgrade, it is critical to back up:
 1. Your JupyterHub database (SQLite by default, or MySQL / Postgres if you used those).
   If you use SQLite (the default), you should backup the `jupyterhub.sqlite` file.
 2. Your `jupyterhub_config.py` file.
 3. Your users' home directories. This is unlikely to be affected directly by
   a JupyterHub upgrade, but we recommend a backup since user data is critical.
 ## Shut down JupyterHub
 Shut down the JupyterHub process. This would vary depending on how you
 have set up JupyterHub to run. It is most likely using a process
 supervisor of some sort (`systemd` or `supervisord` or even `docker`).
 Use the supervisor-specific command to stop the JupyterHub process.
 ## Upgrade JupyterHub packages
 There are two environments where the `jupyterhub` package is installed:
 1. The _hub environment_: where the JupyterHub server process
   runs. This is started with the `jupyterhub` command, and is what
   people generally think of as JupyterHub.
 2. The _notebook user environments_: where the user notebook
   servers are launched from, and is probably custom to your own
   installation. This could be just one environment (different from the
   hub environment) that is shared by all users, one environment
   per user, or the same environment as the hub environment. The hub
   launched the `jupyterhub-singleuser` command in this environment,
   which in turn starts the notebook server.
 You need to make sure the version of the `jupyterhub` package matches
 in both these environments. If you installed `jupyterhub` with pip,
 you can upgrade it with:
 ```bash
 python3 -m pip install --upgrade jupyterhub==<version>
 ```
 Where `<version>` is the version of JupyterHub you are upgrading to.
 If you used `conda` to install `jupyterhub`, you should upgrade it
 with:
 ```bash
 conda install -c conda-forge jupyterhub==<version>
 ```
 You should also check for new releases of the authenticator & spawner you
 are using. You might wish to upgrade those packages, too, along with JupyterHub
 or upgrade them separately.
 ## Upgrade JupyterHub database
 Once new packages are installed, you need to upgrade the JupyterHub
 database. From the hub environment, in the same directory as your
 `jupyterhub_config.py` file, you should run:
 ```bash
 jupyterhub upgrade-db
 ```
 This should find the location of your database, and run the necessary upgrades
 for it.
 ### SQLite database disadvantages
 SQLite has some disadvantages when it comes to upgrading JupyterHub. These
 are:
 - `upgrade-db` may not work, and you may need to delete your database
  and start with a fresh one.
 - `downgrade-db` **will not** work if you want to rollback to an
  earlier version, so backup the `jupyterhub.sqlite` file before
  upgrading.
 ### What happens if I delete my database?
 Losing the Hub database is often not a big deal. Information that
 resides only in the Hub database includes:
 - active login tokens (user cookies, service tokens)
 - users added via JupyterHub UI, instead of config files
 - info about running servers
 If the following conditions are true, you should be fine clearing the
 Hub database and starting over:
 - users specified in the config file, or login using an external
  authentication provider (Google, GitHub, LDAP, etc)
 - user servers are stopped during the upgrade
 - don't mind causing users to log in again after the upgrade
 ## Start JupyterHub
 Once the database upgrade is completed, start the `jupyterhub`
 process again.
 1. Log in and start the server to make sure things work as
   expected.
 2. Check the logs for any errors or deprecation warnings. You
   might have to update your `jupyterhub_config.py` file to
   deal with any deprecated options.
 Congratulations, your JupyterHub has been upgraded!
--- a/docs/source/images/binder-404.png
+++ b/docs/source/images/binder-404.png
--- a/docs/source/images/binderhub-form.png
+++ b/docs/source/images/binderhub-form.png
--- a/docs/source/images/chp-404.png
+++ b/docs/source/images/chp-404.png
--- a/docs/source/images/collaboration-admin-ui.png
+++ b/docs/source/images/collaboration-admin-ui.png
--- a/docs/source/images/dropdown-details-3.0.png
+++ b/docs/source/images/dropdown-details-3.0.png
--- a/docs/source/images/jupyterlab-rtc.png
+++ b/docs/source/images/jupyterlab-rtc.png
--- a/docs/source/images/mybinder-hub-components-cpu-memory.png
+++ b/docs/source/images/mybinder-hub-components-cpu-memory.png
--- a/docs/source/images/mybinder-load5.png
+++ b/docs/source/images/mybinder-load5.png
--- a/docs/source/images/mybinder-user-resources.png
+++ b/docs/source/images/mybinder-user-resources.png
--- a/docs/source/images/rbac-api-request-chart.png
+++ b/docs/source/images/rbac-api-request-chart.png
--- a/docs/source/images/rbac-token-request-chart.png
+++ b/docs/source/images/rbac-token-request-chart.png
--- a/docs/source/images/server-not-running.png
+++ b/docs/source/images/server-not-running.png
--- a/docs/source/images/shareable_link.webp
+++ b/docs/source/images/shareable_link.webp
--- a/docs/source/images/token-page.png
+++ b/docs/source/images/token-page.png
--- a/docs/source/images/token-request-success.png
+++ b/docs/source/images/token-request-success.png
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Min RK	909b3ad4d7	Merge pull request #3538 from consideRatio/pr/release-1.4.2 Release 1.4.2	2021-07-16 10:57:54 +00:00
Erik Sundell	114493be9b	release 1.4.2	2021-07-15 16:57:54 +02:00
Erik Sundell	4c0ac5ba91	changelog for 1.4.2	2021-07-15 16:57:52 +02:00
Erik Sundell	52793d65bd	Backport PR #3531 : Fix regression where external services api_token became required Issue background Registering an external service means it won't be run as a process by JupyterHub or similar as I understand it, and such external services may be registered only to get a /services/<service_name> route registered with JupyterHub's configured proxy rather than to actually use an api_token and speak with JupyterHub. In the past, it was okay for a external service without an api_token to be registered, but not it isn't. This PR fixes that. The situation when I run into this is when I register grafana as an external service like this (but in reality via a z2jh config with slightly different syntax). ```python c.JupyterHub.services = [ { "name": "grafana", "url": "http://grafana", } ] ``` JupyterHub has a [documentation about Services](https://jupyterhub.readthedocs.io/en/stable/reference/services.html properties-of-a-service), where one can see that the default value of api_token is None. Issue details This is an error me and GeorgianaElena have run into using JupyterHub 1.4.1, but I'm not sure at what point the regression was introduced besides it was around in 1.4.1. I wrote some notes tracking this issue down. This is the summary I wrote. ``` This test was made to reproduce an error like this: ValueError: Tokens must be at least 8 characters, got '' The error had the following stack trace in 1.4.1: jupyterhub/app.py:2213: in init_api_tokens await self._add_tokens(self.service_tokens, kind='service') jupyterhub/app.py:2182: in _add_tokens obj.new_api_token( jupyterhub/orm.py:424: in new_api_token return APIToken.new(token=token, service=self, **kwargs) jupyterhub/orm.py:699: in new cls.check_token(db, token) This test also make _add_tokens receive a token_dict that is buggy: {"": "external_2"} It turned out that whatever passes token_dict to _add_tokens failed to ignore service's api_tokens that were None, and instead passes them as blank strings. It turned out that init_api_tokens was passing self.service_tokens, and that self.service_tokens had been populated with blank string tokens for external services registered with JupyterHub. ``` Signed-off-by: Erik Sundell <erik.i.sundell@gmail.com>	2021-07-15 10:16:18 +02:00
passer	320e1924a7	Backport PR #3521 : Fix contributor documentation's link Clicking the contributor documentation's link [https://jupyter.readthedocs.io/en/latest/contributor/content-contributor.html](https://jupyter.readthedocs.io/en/latest/contributor/content-contributor.html) will get an error This link needs to be replaced with [https://jupyter.readthedocs.io/en/latest/contributing/content-contributor.html](https://jupyter.readthedocs.io/en/latest/contributing/content-contributor.html) Signed-off-by: Erik Sundell <erik.i.sundell@gmail.com>	2021-07-15 10:16:16 +02:00
Min RK	2c90715c8d	Backport PR #3510 : bump autodoc-traits for sphinx compatibility fix, to get docs building again Signed-off-by: Erik Sundell <erik.i.sundell@gmail.com>	2021-07-15 10:16:13 +02:00
David Brochart	c99bb32e12	Backport PR #3494 : Fix typo Signed-off-by: Erik Sundell <erik.i.sundell@gmail.com>	2021-07-15 10:16:11 +02:00
Igor Beliakov	fee4ee23c0	Backport PR #3484 : Bug: save_bearer_token (provider.py) passes a float value to the expires_at field (int) Environment * image: k8s-hub (`jupyterhub/k8s-hub:0.11.1`); * `authenticator_class: dummy`; * db: cocroachdb (`sqlalchemy-cocroachdb`). Description: `save_bearer_token` method (`provider.py`) passes a float value to the `expires_at` field (int). A user can create a notebook, it gets successfully scheduled, and then, once the pod is up and ready, the user is unable to enter the notebook, because jupyterhub cannot save a token. In logs, we can see the following: ``` [I 2021-05-29 14:45:04.302 JupyterHub log:181] 302 GET /hub/api/oauth2/authorize?client_id=jupyterhub-user-user2&redirect_uri=%2Fuser%2Fuser2%2Foauth_callback&response_type=code&state=[secret] -> /user/user2/oauth_callback?code=[secret]&state=[secret] (user2 40.113.125.116) 73.98ms [E 2021-05-29 14:45:04.424 JupyterHub web:1789] Uncaught exception POST /hub/api/oauth2/token (10.42.80.10) HTTPServerRequest(protocol='http', host='hub:8081', method='POST', uri='/hub/api/oauth2/token', version='HTTP/1.1', remote_ip='10.42.80.10') Traceback (most recent call last): File "/usr/local/lib/python3.8/dist-packages/tornado/web.py", line 1702, in _execute result = method(self.path_args, self.path_kwargs) File "/usr/local/lib/python3.8/dist-packages/jupyterhub/apihandlers/auth.py", line 324, in post headers, body, status = self.oauth_provider.create_token_response( File "/usr/local/lib/python3.8/dist-packages/oauthlib/oauth2/rfc6749/endpoints/base.py", line 116, in wrapper return f(endpoint, uri, args, *kwargs) File "/usr/local/lib/python3.8/dist-packages/oauthlib/oauth2/rfc6749/endpoints/token.py", line 118, in create_token_response return grant_type_handler.create_token_response( File "/usr/local/lib/python3.8/dist-packages/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py", line 313, in create_token_response self.request_validator.save_token(token, request) File "/usr/local/lib/python3.8/dist-packages/jupyterhub/oauth/provider.py", line 281, in save_token return self.save_bearer_token(token, request, args, *kwargs) File "/usr/local/lib/python3.8/dist-packages/jupyterhub/oauth/provider.py", line 354, in save_bearer_token self.db.commit() File "/usr/local/lib/python3.8/dist-packages/sqlalchemy/orm/session.py", line 1042, in commit self.transaction.commit() File "/usr/local/lib/python3.8/dist-packages/sqlalchemy/orm/session.py", line 504, in commit self._prepare_impl() File "/usr/local/lib/python3.8/dist-packages/sqlalchemy/orm/session.py", line 483, in _prepare_impl self.session.flush() File "/usr/local/lib/python3.8/dist-packages/sqlalchemy/orm/session.py", line 2536, in flush self._flush(objects) File "/usr/local/lib/python3.8/dist-packages/sqlalchemy/orm/session.py", line 2678, in _flush transaction.rollback(_capture_exception=True) File "/usr/local/lib/python3.8/dist-packages/sqlalchemy/util/langhelpers.py", line 68, in __exit__ compat.raise_( File "/usr/local/lib/python3.8/dist-packages/sqlalchemy/util/compat.py", line 182, in raise_ raise exception File "/usr/local/lib/python3.8/dist-packages/sqlalchemy/orm/session.py", line 2638, in _flush flush_context.execute() File "/usr/local/lib/python3.8/dist-packages/sqlalchemy/orm/unitofwork.py", line 422, in execute rec.execute(self) File "/usr/local/lib/python3.8/dist-packages/sqlalchemy/orm/unitofwork.py", line 586, in execute persistence.save_obj( File "/usr/local/lib/python3.8/dist-packages/sqlalchemy/orm/persistence.py", line 239, in save_obj _emit_insert_statements( File "/usr/local/lib/python3.8/dist-packages/sqlalchemy/orm/persistence.py", line 1135, in _emit_insert_statements result = cached_connections[connection].execute( File "/usr/local/lib/python3.8/dist-packages/sqlalchemy/engine/base.py", line 1011, in execute return meth(self, multiparams, params) File "/usr/local/lib/python3.8/dist-packages/sqlalchemy/sql/elements.py", line 298, in _execute_on_connection return connection._execute_clauseelement(self, multiparams, params) File "/usr/local/lib/python3.8/dist-packages/sqlalchemy/engine/base.py", line 1124, in _execute_clauseelement ret = self._execute_context( File "/usr/local/lib/python3.8/dist-packages/sqlalchemy/engine/base.py", line 1316, in _execute_context self._handle_dbapi_exception( File "/usr/local/lib/python3.8/dist-packages/sqlalchemy/engine/base.py", line 1510, in _handle_dbapi_exception util.raise_( File "/usr/local/lib/python3.8/dist-packages/sqlalchemy/util/compat.py", line 182, in raise_ raise exception File "/usr/local/lib/python3.8/dist-packages/sqlalchemy/engine/base.py", line 1276, in _execute_context self.dialect.do_execute( File "/usr/local/lib/python3.8/dist-packages/sqlalchemy/engine/default.py", line 593, in do_execute cursor.execute(statement, parameters) sqlalchemy.exc.ProgrammingError: (psycopg2.errors.DatatypeMismatch) value type decimal doesn't match type int of column "expires_at" HINT: you will need to rewrite or cast the expression [SQL: INSERT INTO oauth_access_tokens (client_id, grant_type, expires_at, refresh_token, refresh_expires_at, user_id, session_id, hashed, prefix, created, last_activity) VALUES (%(client_id)s, %(grant_type)s, %(expires_at)s, %(refresh_token)s, %(refresh_expires_at)s, %(user_id)s, %(session_id)s, %(hashed)s, %(prefix)s, %(created)s, %(last_activity)s) RETURNING oauth_access_tokens.id] [parameters: {'client_id': 'jupyterhub-user-user2', 'grant_type': 'authorization_code', 'expires_at': 1622303104.418992, 'refresh_token': 'FVJ8S4is0367LlEMnxIiEIoTOeoxhf', 'refresh_expires_at': None, 'user_id': 662636890939424770, 'session_id': '4e041a2bfcb34a34a00033a281bc1236', 'hashed': 'sha512:1:3b18deae37fbf50a:03df035736960af14e19196e1d13fd74f55c21f17405119f80e75817ff37c7567fab089a3d40b97a57f94b54065ee56f7260895352516b9facb989d656f05be8', 'prefix': 't11z', 'created': datetime.datetime(2021, 5, 29, 14, 45, 4, 421305), 'last_activity': None}] (Background on this error at: http://sqlalche.me/e/13/f405) [W 2021-05-29 14:45:04.430 JupyterHub base:110] Rolling back session due to database error (psycopg2.errors.DatatypeMismatch) value type decimal doesn't match type int of column "expires_at" HINT: you will need to rewrite or cast the expression [SQL: INSERT INTO oauth_access_tokens (client_id, grant_type, expires_at, refresh_token, refresh_expires_at, user_id, session_id, hashed, prefix, created, last_activity) VALUES (%(client_id)s, %(grant_type)s, %(expires_at)s, %(refresh_token)s, %(refresh_expires_at)s, %(user_id)s, %(session_id)s, %(hashed)s, %(prefix)s, %(created)s, %(last_activity)s) RETURNING oauth_access_tokens.id] [parameters: {'client_id': 'jupyterhub-user-user2', 'grant_type': 'authorization_code', 'expires_at': 1622303104.418992, 'refresh_token': 'FVJ8S4is0367LlEMnxIiEIoTOeoxhf', 'refresh_expires_at': None, 'user_id': 662636890939424770, 'session_id': '4e041a2bfcb34a34a00033a281bc1236', 'hashed': 'sha512:1:3b18deae37fbf50a:03df035736960af14e19196e1d13fd74f55c21f17405119f80e75817ff37c7567fab089a3d40b97a57f94b54065ee56f7260895352516b9facb989d656f05be8', 'prefix': 't11z', 'created': datetime.datetime(2021, 5, 29, 14, 45, 4, 421305), 'last_activity': None}] (Background on this error at: http://sqlalche.me/e/13/f405) [E 2021-05-29 14:45:04.443 JupyterHub log:173] { "Host": "hub:8081", "User-Agent": "python-requests/2.25.1", "Accept-Encoding": "gzip, deflate", "Accept": "/*", "Connection": "keep-alive", "Content-Type": "application/x-www-form-urlencoded", "Authorization": "token [secret]", "Content-Length": "190" } [E 2021-05-29 14:45:04.444 JupyterHub log:181] 500 POST /hub/api/oauth2/token (user2 10.42.80.10) 63.28ms ``` Everything went well, when I changed: `expires_at=orm.OAuthAccessToken.now() + token['expires_in'],` to: `expires_at=int(orm.OAuthAccessToken.now() + token['expires_in']),` That's what this PR is about. As a sidenote, `black` formatter adjusted the `orm_client = orm.OAuthClient(identifier=client_id,)` line, but I guess it should be fine. Please, feel free to revert this change if needed. (Upd): added the missing `int` conversion. Signed-off-by: Erik Sundell <erik.i.sundell@gmail.com>	2021-07-15 10:16:08 +02:00
Min RK	2c8b29b6bb	Merge pull request #3467 from minrk/1.4.x Prepare for 1.4.1	2021-05-12 17:16:58 +02:00
Min RK	a53178a92b	Backport PR #3462 : prepare to rename default branch to main - update references to default branch name in docs, workflows - use HEAD in github urls, which always works regardless of default branch name - fix petstore URLs since the old petstore links seem to have stopped working to merge, in order: - [x] approve this PR - [x] rename the default branch to main in settings - [x] merge this PR Related tangent: I've been using [this git default-branch](https://github.com/minrk/git-stuff/blob/main/bin/git-default-branch) to help with my aliases and friends working with repos with different branch names. Signed-off-by: Min RK <benjaminrk@gmail.com>	2021-05-12 15:51:06 +02:00
Min RK	e032cda638	release 1.4.1	2021-05-12 15:45:27 +02:00
Min RK	40820b3489	changelog for 1.4.1	2021-05-12 15:42:21 +02:00
Min RK	80f4454371	Backport PR #3457 : ci: fix typo in environment variable When i setup the release workflow i made a typo in an environment variable so signing into Docker Hub now fails. Observed in https://github.com/jupyterhub/jupyterhub/pull/3456 issuecomment-832923798. Signed-off-by: Min RK <benjaminrk@gmail.com>	2021-05-12 15:36:39 +02:00
Erik Sundell	4d0005b0b7	Backport PR #3454 : define Spawner.delete_forever on base Spawner ...where I thought it already was! Instead of on the test class. and fix the logic for when it is called a bit: - call on all Spawners, not just the default - call on named server deletion when remove=True closes 3451, finishes 3337 Signed-off-by: Min RK <benjaminrk@gmail.com>	2021-05-12 15:36:36 +02:00
Erik Sundell	86761ff0d4	Backport PR #3456 : avoid re-using asyncio.Locks across event loops should never occur in real applications where only one loop is run, but may occur in tests if the Proxy object lives longer than the loop that is running when it's created (imported?). I suspect this is the source of our intermittent test failures with: > got Future <Future pending> attached to a different loop But since they are intermittent, it's hard to be sure, even if this PR passes. The issue: we were allocating an asyncio.Lock(), which in turn grabs a handle on the current event loop, at method definition time in the decorator, instead of call time. The solution: allocate the method at call time and double-check to ensure we never use a lock across event loops by storing the locks per-loop. This should change nothing for 'real' hub instances, where only one loop is ever running, only tests where we start and stop loops a bunch. Signed-off-by: Min RK <benjaminrk@gmail.com>	2021-05-12 15:36:34 +02:00
Min RK	32a2a3031c	Backport PR #3437 : patch base handlers from both jupyter_server and notebook and clarify warning when a base handler isn't patched that auth is still being applied - reorganize patch steps into functions for easier re-use - patch notebook and jupyter_server handlers if they are already imported - run patch after initialize to ensure extensions have done their importing before we check what's present - apply class-level patch even when instance-level patch is happening to avoid triggering patch on every request This change isn't as big as it looks, because it's mostly moving some re-used code to a couple of functions. closes https://github.com/jupyter-server/jupyter_server/issues/488 Signed-off-by: Min RK <benjaminrk@gmail.com>	2021-05-12 15:36:31 +02:00
Min RK	16352496da	Backport PR #3452 : Fix documentation Signed-off-by: Min RK <benjaminrk@gmail.com>	2021-05-12 15:36:28 +02:00
Min RK	2259f57772	Backport PR #3436 : ci: github workflow security, pin action to sha etc Pin references to github actions we rely on in workflows with jobs that reference GitHub secrets that could get exposed. Signed-off-by: Min RK <benjaminrk@gmail.com>	2021-05-12 15:36:26 +02:00