Bump to 5.4.0

Merge pull request #5160 from minrk/prepare-5.4
changelog for 5.4.0
2025-10-07 18:14:10 +00:00 · 2025-10-06 09:08:01 -07:00 · 2025-10-06 09:07:40 -07:00 · 2025-10-06 09:02:12 -07:00 · 2025-10-06 08:41:02 -07:00 · 2025-10-06 08:17:42 -07:00
147 changed files with 10209 additions and 4997 deletions
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@@ -48,10 +48,17 @@ updates:
      # group major bumps of webpack-related dependencies
      jsx-webpack:
        patterns:
-          - "webpack*"
+          - "*webpack*"
          - "@babel/*"
          - "*-loader"
        update-types:
          - major
+      # group major bumps of jest-related dependencies
+      jsx-jest:
+        patterns:
+          - "*jest*"
+          - "*test*"
+        update-types:
+          - major
    schedule:
      interval: monthly
--- a/.github/workflows/registry-overviews.yml
+++ b/.github/workflows/registry-overviews.yml
@@ -1,54 +0,0 @@
-name: Update Registry overviews
-
-env:
-  OWNER: ${{ github.repository_owner }}
-
-on:
-  push:
-    branches:
-      - main
-    paths:
-      - ".github/workflows/registry-overviews.yml"
-
-      - "README.md"
-      - "onbuild/README.md"
-      - "demo-image/README.md"
-      - "singleuser/README.md"
-  workflow_dispatch:
-
-jobs:
-  update-overview:
-    runs-on: ubuntu-latest
-    name: update-overview (${{matrix.image}})
-    if: github.repository_owner == 'jupyterhub'
-
-    steps:
-      - name: Checkout Repo ⚡️
-        uses: actions/checkout@v4
-
-      - name: Push README to Registry 🐳
-        uses: christian-korneck/update-container-description-action@d36005551adeaba9698d8d67a296bd16fa91f8e8 # v1
-        env:
-          DOCKER_USER: ${{ secrets.DOCKERHUB_USERNAME }}
-          DOCKER_PASS: ${{ secrets.DOCKERHUB_TOKEN }}
-        with:
-          destination_container_repo: ${{ env.OWNER }}/${{ matrix.image }}
-          provider: dockerhub
-          short_description: ${{ matrix.description }}
-          readme_file: ${{ matrix.readme_file }}
-
-    strategy:
-      matrix:
-        include:
-          - image: jupyterhub
-            description: "JupyterHub: multi-user Jupyter notebook server"
-            readme_file: README.md
-          - image: jupyterhub-onbuild
-            description: onbuild version of JupyterHub images
-            readme_file: onbuild/README.md
-          - image: jupyterhub-demo
-            description: Demo JupyterHub Docker image with a quick overview of what JupyterHub is and how it works
-            readme_file: demo-image/README.md
-          - image: singleuser
-            description: "single-user docker images for use with JupyterHub and DockerSpawner see also: jupyter/docker-stacks"
-            readme_file: singleuser/README.md
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,7 +1,7 @@
 # This is a GitHub workflow defining a set of jobs with a set of steps.
 # ref: https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions
 #
-# Test build release artifacts (PyPI package, Docker images) and publish them on
+# Test build release artifacts (PyPI package) and publish them on
 # pushed git tags.
 #
 name: Release
@@ -28,17 +28,20 @@ on:
      - "**"
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  build-release:
    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v6
        with:
          python-version: "3.11"
          cache: pip

-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v5
        with:
          node-version: "20"

@@ -82,150 +85,3 @@ jobs:
        run: |
          pip install twine
          twine upload --skip-existing dist/*
-
-  publish-docker:
-    runs-on: ubuntu-22.04
-    timeout-minutes: 30
-
-    services:
-      # So that we can test this in PRs/branches
-      local-registry:
-        image: registry:2
-        ports:
-          - 5000:5000
-
-    steps:
-      - name: Should we push this image to a public registry?
-        run: |
-          if [ "${{ startsWith(github.ref, 'refs/tags/') || (github.ref == 'refs/heads/main') }}" = "true" ]; then
-              echo "REGISTRY=quay.io/" >> $GITHUB_ENV
-          else
-              echo "REGISTRY=localhost:5000/" >> $GITHUB_ENV
-          fi
-
-      - uses: actions/checkout@v4
-
-      # Setup docker to build for multiple platforms, see:
-      # https://github.com/docker/build-push-action/tree/v2.4.0#usage
-      # https://github.com/docker/build-push-action/blob/v2.4.0/docs/advanced/multi-platform.md
-      - name: Set up QEMU (for docker buildx)
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx (for multi-arch builds)
-        uses: docker/setup-buildx-action@v3
-        with:
-          # Allows pushing to registry on localhost:5000
-          driver-opts: network=host
-
-      - name: Setup push rights to Docker Hub
-        # This was setup by...
-        # 1. Creating a [Robot Account](https://quay.io/organization/jupyterhub?tab=robots) in the JupyterHub
-        # .  Quay.io org
-        # 2. Giving it enough permissions to push to the jupyterhub and singleuser images
-        # 3. Putting the robot account's username and password in GitHub actions environment
-        if: env.REGISTRY != 'localhost:5000/'
-        run: |
-          docker login -u "${{ secrets.QUAY_USERNAME }}" -p "${{ secrets.QUAY_PASSWORD }}" "${{ env.REGISTRY }}"
-          docker login -u "${{ secrets.DOCKERHUB_USERNAME }}" -p "${{ secrets.DOCKERHUB_TOKEN }}" docker.io
-
-      # image: jupyterhub/jupyterhub
-      #
-      # https://github.com/jupyterhub/action-major-minor-tag-calculator
-      # If this is a tagged build this will return additional parent tags.
-      # E.g. 1.2.3 is expanded to Docker tags
-      # [{prefix}:1.2.3, {prefix}:1.2, {prefix}:1, {prefix}:latest] unless
-      # this is a backported tag in which case the newer tags aren't updated.
-      # For branches this will return the branch name.
-      # If GITHUB_TOKEN isn't available (e.g. in PRs) returns no tags [].
-      - name: Get list of jupyterhub tags
-        id: jupyterhubtags
-        uses: jupyterhub/action-major-minor-tag-calculator@v3
-        with:
-          githubToken: ${{ secrets.GITHUB_TOKEN }}
-          prefix: >-
-            ${{ env.REGISTRY }}jupyterhub/jupyterhub:
-            jupyterhub/jupyterhub:
-          defaultTag: "${{ env.REGISTRY }}jupyterhub/jupyterhub:noref"
-          branchRegex: ^\w[\w-.]*$
-
-      - name: Build and push jupyterhub
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          # tags parameter must be a string input so convert `gettags` JSON
-          # array into a comma separated list of tags
-          tags: ${{ join(fromJson(steps.jupyterhubtags.outputs.tags)) }}
-
-      # image: jupyterhub/jupyterhub-onbuild
-      #
-      - name: Get list of jupyterhub-onbuild tags
-        id: onbuildtags
-        uses: jupyterhub/action-major-minor-tag-calculator@v3
-        with:
-          githubToken: ${{ secrets.GITHUB_TOKEN }}
-          prefix: >-
-            ${{ env.REGISTRY }}jupyterhub/jupyterhub-onbuild:
-            jupyterhub/jupyterhub-onbuild:
-          defaultTag: "${{ env.REGISTRY }}jupyterhub/jupyterhub-onbuild:noref"
-          branchRegex: ^\w[\w-.]*$
-
-      - name: Build and push jupyterhub-onbuild
-        uses: docker/build-push-action@v6
-        with:
-          build-args: |
-            BASE_IMAGE=${{ fromJson(steps.jupyterhubtags.outputs.tags)[0] }}
-          context: onbuild
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: ${{ join(fromJson(steps.onbuildtags.outputs.tags)) }}
-
-      # image: jupyterhub/jupyterhub-demo
-      #
-      - name: Get list of jupyterhub-demo tags
-        id: demotags
-        uses: jupyterhub/action-major-minor-tag-calculator@v3
-        with:
-          githubToken: ${{ secrets.GITHUB_TOKEN }}
-          prefix: >-
-            ${{ env.REGISTRY }}jupyterhub/jupyterhub-demo:
-            jupyterhub/jupyterhub-demo:
-          defaultTag: "${{ env.REGISTRY }}jupyterhub/jupyterhub-demo:noref"
-          branchRegex: ^\w[\w-.]*$
-
-      - name: Build and push jupyterhub-demo
-        uses: docker/build-push-action@v6
-        with:
-          build-args: |
-            BASE_IMAGE=${{ fromJson(steps.onbuildtags.outputs.tags)[0] }}
-          context: demo-image
-          # linux/arm64 currently fails:
-          # ERROR: Could not build wheels for argon2-cffi which use PEP 517 and cannot be installed directly
-          # ERROR: executor failed running [/bin/sh -c python3 -m pip install notebook]: exit code: 1
-          platforms: linux/amd64
-          push: true
-          tags: ${{ join(fromJson(steps.demotags.outputs.tags)) }}
-
-      # image: jupyterhub/singleuser
-      #
-      - name: Get list of jupyterhub/singleuser tags
-        id: singleusertags
-        uses: jupyterhub/action-major-minor-tag-calculator@v3
-        with:
-          githubToken: ${{ secrets.GITHUB_TOKEN }}
-          prefix: >-
-            ${{ env.REGISTRY }}jupyterhub/singleuser:
-            jupyterhub/singleuser:
-          defaultTag: "${{ env.REGISTRY }}jupyterhub/singleuser:noref"
-          branchRegex: ^\w[\w-.]*$
-
-      - name: Build and push jupyterhub/singleuser
-        uses: docker/build-push-action@v6
-        with:
-          build-args: |
-            JUPYTERHUB_VERSION=${{ github.ref_type == 'tag' && github.ref_name || format('git:{0}', github.sha) }}
-          context: singleuser
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: ${{ join(fromJson(steps.singleusertags.outputs.tags)) }}
--- a/.github/workflows/test-docs.yml
+++ b/.github/workflows/test-docs.yml
@@ -29,6 +29,9 @@ on:
      - "**"
  workflow_dispatch:

+permissions:
+  contents: read
+
 env:
  # UTF-8 content may be interpreted as ascii and causes errors without this.
  LANG: C.UTF-8
@@ -38,9 +41,9 @@ jobs:
  validate-rest-api-definition:
    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5

-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v5
        with:
          node-version: "20"
          cache: npm
@@ -52,13 +55,13 @@ jobs:
  test-docs:
    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          # make rediraffecheckdiff requires git history to compare current
          # commit with the main branch and previous releases.
          fetch-depth: 0

-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
        with:
          python-version: "3.11"
          cache: pip
--- a/.github/workflows/test-jsx.yml
+++ b/.github/workflows/test-jsx.yml
@@ -32,8 +32,8 @@ jobs:
    timeout-minutes: 5

    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v5
+      - uses: actions/setup-node@v5
        with:
          node-version: "20"

--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -139,11 +139,11 @@ jobs:
          if [ "${{ matrix.jupyverse }}" != "" ]; then
              echo "JUPYTERHUB_SINGLEUSER_APP=jupyverse" >> $GITHUB_ENV
          fi
-      - uses: actions/checkout@v4
-      # NOTE: actions/setup-node@v4 make use of a cache within the GitHub base
+      - uses: actions/checkout@v5
+      # NOTE: actions/setup-node@v5 make use of a cache within the GitHub base
      #       environment and setup in a fraction of a second.
      - name: Install Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
        with:
          node-version: "20"
      - name: Install Javascript dependencies
@@ -152,10 +152,10 @@ jobs:
          npm install -g configurable-http-proxy yarn
          npm list

-      # NOTE: actions/setup-python@v5 make use of a cache within the GitHub base
+      # NOTE: actions/setup-python@v6 make use of a cache within the GitHub base
      #       environment and setup in a fraction of a second.
      - name: Install Python ${{ matrix.python }}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
        with:
          python-version: "${{ matrix.python }}"
          cache: pip
@@ -173,7 +173,7 @@ jobs:
            # make sure our `>=` pins really do express our minimum supported versions
            pip install -r ci/oldest-dependencies/requirements.old -e .
          else
-            pip install --pre -e ".[test]"
+            pip install --pre -e ".[test]" "pycurl; python_version >= '3.10'"
          fi

          if [ "${{ matrix.main_dependencies }}" != "" ]; then
@@ -252,31 +252,10 @@ jobs:

      - name: Ensure browsers are installed for playwright
        if: matrix.browser
-        run: python -m playwright install --with-deps
+        run: python -m playwright install --with-deps firefox

      - name: Run pytest
        run: |
          pytest -k "${{ matrix.subset }}" --maxfail=2 --cov=jupyterhub jupyterhub/tests

-      - uses: codecov/codecov-action@v4
-
-  docker-build:
-    runs-on: ubuntu-22.04
-    timeout-minutes: 20
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: build images
-        run: |
-          DOCKER_BUILDKIT=1 docker build -t jupyterhub/jupyterhub .
-          docker build -t jupyterhub/jupyterhub-onbuild onbuild
-          docker build -t jupyterhub/singleuser singleuser
-
-      - name: smoke test jupyterhub
-        run: |
-          docker run --rm -t jupyterhub/jupyterhub jupyterhub --help
-
-      - name: verify static files
-        run: |
-          docker run --rm -t -v $PWD/dockerfiles:/io jupyterhub/jupyterhub python3 /io/test.py
+      - uses: codecov/codecov-action@v5
--- a/.gitignore
+++ b/.gitignore
@@ -7,8 +7,6 @@ node_modules
 dist
 docs/_build
 docs/build
-docs/source/_static/rest-api
-docs/source/rbac/scope-table.md
 docs/source/reference/metrics.md

 .ipynb_checkpoints
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -16,7 +16,7 @@ ci:
 repos:
  # autoformat and lint Python code
  - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.6.3
+    rev: v0.12.11
    hooks:
      - id: ruff
        types_or:
@@ -29,15 +29,15 @@ repos:
          - jupyter

  # Autoformat: markdown, yaml, javascript (see the file .prettierignore)
-  - repo: https://github.com/pre-commit/mirrors-prettier
-    rev: v4.0.0-alpha.8
+  - repo: https://github.com/rbubley/mirrors-prettier
+    rev: v3.6.2
    hooks:
      - id: prettier
-        exclude: .*/templates/.*
+        exclude: .*/templates/.*|docs/source/_static/rest-api.yml|docs/source/rbac/scope-table.md

  # autoformat HTML templates
  - repo: https://github.com/djlint/djLint
-    rev: v1.35.2
+    rev: v1.36.4
    hooks:
      - id: djlint-reformat-jinja
        files: ".*templates/.*.html"
@@ -49,10 +49,38 @@ repos:

  # Autoformat and linting, misc. details
  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0
+    rev: v6.0.0
    hooks:
      - id: end-of-file-fixer
        exclude: share/jupyterhub/static/js/admin-react.js
      - id: requirements-txt-fixer
      - id: check-case-conflict
      - id: check-executables-have-shebangs
+
+  # source docs: rest-api.yml and scope-table.md are autogenerated
+  - repo: local
+    hooks:
+      - id: update-api-and-scope-docs
+        name: Update rest-api.yml and scope-table.md based on scopes.py
+        language: python
+        additional_dependencies: ["pytablewriter", "ruamel.yaml"]
+        entry: python docs/source/rbac/generate-scope-table.py
+        args:
+          - --update
+        files: jupyterhub/scopes.py
+        pass_filenames: false
+
+      # run eslint in the jsx directory
+      # need to pass through 'jsx:install-run' hook in
+      # top-level package.json to ensure dependencies are installed
+      # eslint pre-commit hook doesn't really work with eslint 9,
+      # so use `npm run lint:fix`
+      - id: jsx-eslint
+        name: eslint in jsx/
+        entry: npm run jsx:install-run lint:fix
+        pass_filenames: false
+        language: node
+        files: "jsx/.*"
+        # can't run on pre-commit; hangs, for some reason
+        stages:
+          - manual
--- a/.readthedocs.yaml
+++ b/.readthedocs.yaml
@@ -8,10 +8,9 @@ sphinx:
  configuration: docs/source/conf.py

 build:
-  os: ubuntu-22.04
+  os: ubuntu-24.04
  tools:
-    nodejs: "20"
-    python: "3.11"
+    python: "3.13"

 python:
  install:
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -12,3 +12,29 @@ Please see our documentation on
 - [Testing JupyterHub and linting code](https://jupyterhub.readthedocs.io/en/latest/contributing/tests.html)

 If you need some help, feel free to ask on [Gitter](https://gitter.im/jupyterhub/jupyterhub) or [Discourse](https://discourse.jupyter.org/).
+
+## Our Copyright Policy
+
+Jupyter uses a shared copyright model. Each contributor maintains copyright
+over their contributions to Jupyter. But, it is important to note that these
+contributions are typically only changes to the repositories. Thus, the Jupyter
+source code, in its entirety is not the copyright of any single person or
+institution. Instead, it is the collective copyright of the entire Jupyter
+Development Team. If individual contributors want to maintain a record of what
+changes/contributions they have specific copyright on, they should indicate
+their copyright in the commit message of the change, when they commit the
+change to one of the Jupyter repositories.
+
+With this in mind, the following banner should be used in any source code file
+to indicate the copyright and license terms:
+
+    # Copyright (c) Jupyter Development Team.
+    # Distributed under the terms of the Modified BSD License.
+
+### About the Jupyter Development Team
+
+The Jupyter Development Team is the set of all contributors to the Jupyter project.
+This includes all of the Jupyter subprojects.
+
+The team that coordinates JupyterHub subproject can be found here:
+https://compass.hub.jupyter.org/page/governance.html
--- a/COPYING.md
+++ b/COPYING.md
@@ -1,59 +0,0 @@
-# The Jupyter multi-user notebook server licensing terms
-
-Jupyter multi-user notebook server is licensed under the terms of the Modified BSD License
-(also known as New or Revised or 3-Clause BSD), as follows:
-
- Copyright (c) 2014-, Jupyter Development Team
-
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-Redistributions of source code must retain the above copyright notice, this
-list of conditions and the following disclaimer.
-
-Redistributions in binary form must reproduce the above copyright notice, this
-list of conditions and the following disclaimer in the documentation and/or
-other materials provided with the distribution.
-
-Neither the name of the Jupyter Development Team nor the names of its
-contributors may be used to endorse or promote products derived from this
-software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-## About the Jupyter Development Team
-
-The Jupyter Development Team is the set of all contributors to the Jupyter project.
-This includes all of the Jupyter subprojects.
-
-The core team that coordinates development on GitHub can be found here:
-https://github.com/jupyter/.
-
-## Our Copyright Policy
-
-Jupyter uses a shared copyright model. Each contributor maintains copyright
-over their contributions to Jupyter. But, it is important to note that these
-contributions are typically only changes to the repositories. Thus, the Jupyter
-source code, in its entirety is not the copyright of any single person or
-institution. Instead, it is the collective copyright of the entire Jupyter
-Development Team. If individual contributors want to maintain a record of what
-changes/contributions they have specific copyright on, they should indicate
-their copyright in the commit message of the change, when they commit the
-change to one of the Jupyter repositories.
-
-With this in mind, the following banner should be used in any source code file
-to indicate the copyright and license terms:
-
-    # Copyright (c) Jupyter Development Team.
-    # Distributed under the terms of the Modified BSD License.
--- a/146
+++ b/146
@@ -1,146 +0,0 @@
-# An incomplete base Docker image for running JupyterHub
-#
-# Add your configuration to create a complete derivative Docker image.
-#
-# Include your configuration settings by starting with one of two options:
-#
-# Option 1:
-#
-# FROM quay.io/jupyterhub/jupyterhub:latest
-#
-# And put your configuration file jupyterhub_config.py in /srv/jupyterhub/jupyterhub_config.py.
-#
-# Option 2:
-#
-# Or you can create your jupyterhub config and database on the host machine, and mount it with:
-#
-# docker run -v $PWD:/srv/jupyterhub -t quay.io/jupyterhub/jupyterhub
-#
-# NOTE
-# If you base on quay.io/jupyterhub/jupyterhub-onbuild
-# your jupyterhub_config.py will be added automatically
-# from your docker directory.
-
-######################################################################
-# This Dockerfile uses multi-stage builds with optimisations to build
-# the JupyterHub wheel on the native architecture only
-# https://www.docker.com/blog/faster-multi-platform-builds-dockerfile-cross-compilation-guide/
-
-ARG BASE_IMAGE=ubuntu:22.04
-
-
-######################################################################
-# The JupyterHub wheel is pure Python so can be built for any platform
-# on the native architecture (avoiding QEMU emulation)
-FROM --platform=${BUILDPLATFORM:-linux/amd64} $BASE_IMAGE AS jupyterhub-builder
-
-ENV DEBIAN_FRONTEND=noninteractive
-
-# Don't clear apt cache, and don't combine RUN commands, so that cached layers can
-# be reused in other stages
-
-RUN apt-get update -qq \
- && apt-get install -yqq --no-install-recommends \
-    build-essential \
-    ca-certificates \
-    curl \
-    git \
-    gnupg \
-    locales \
-    python3-dev \
-    python3-pip \
-    python3-pycurl \
-    python3-venv \
- && python3 -m pip install --no-cache-dir --upgrade setuptools pip build wheel
-# Ubuntu 22.04 comes with Nodejs 12 which is too old for building JupyterHub JS
-# It's fine at runtime though (used only by configurable-http-proxy)
-ARG NODE_MAJOR=20
-RUN mkdir -p /etc/apt/keyrings \
- && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
- && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_$NODE_MAJOR.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list \
- && apt-get update \
- && apt-get install -yqq --no-install-recommends \
-    nodejs
-
-WORKDIR /src/jupyterhub
-# copy everything except whats in .dockerignore, its a
-# compromise between needing to rebuild and maintaining
-# what needs to be part of the build
-COPY . .
-
-ARG PIP_CACHE_DIR=/tmp/pip-cache
-RUN --mount=type=cache,target=${PIP_CACHE_DIR} \
-    python3 -m build --wheel
-
-# verify installed files
-RUN --mount=type=cache,target=${PIP_CACHE_DIR} \
-    python3 -m pip install ./dist/*.whl \
- && cd ci \
- && python3 check_installed_data.py
-
-######################################################################
-# All other wheels required by JupyterHub, some are platform specific
-FROM $BASE_IMAGE AS wheel-builder
-
-ENV DEBIAN_FRONTEND=noninteractive
-
-RUN apt-get update -qq \
- && apt-get install -yqq --no-install-recommends \
-    build-essential \
-    ca-certificates \
-    curl \
-    locales \
-    python3-dev \
-    python3-pip \
-    python3-pycurl \
-    python3-venv \
- && python3 -m pip install --no-cache-dir --upgrade setuptools pip build wheel
-
-WORKDIR /src/jupyterhub
-
-COPY --from=jupyterhub-builder /src/jupyterhub/dist/*.whl /src/jupyterhub/dist/
-ARG PIP_CACHE_DIR=/tmp/pip-cache
-RUN --mount=type=cache,target=${PIP_CACHE_DIR} \
-    python3 -m pip wheel --wheel-dir wheelhouse dist/*.whl
-
-
-######################################################################
-# The final JupyterHub image, platform specific
-FROM $BASE_IMAGE AS jupyterhub
-
-ENV DEBIAN_FRONTEND=noninteractive \
-    SHELL=/bin/bash \
-    LC_ALL=en_US.UTF-8 \
-    LANG=en_US.UTF-8 \
-    LANGUAGE=en_US.UTF-8 \
-    PYTHONDONTWRITEBYTECODE=1
-
-EXPOSE 8000
-
-LABEL maintainer="Jupyter Project <jupyter@googlegroups.com>"
-LABEL org.jupyter.service="jupyterhub"
-
-WORKDIR /srv/jupyterhub
-
-RUN apt-get update -qq \
- && apt-get install -yqq --no-install-recommends \
-    ca-certificates \
-    curl \
-    gnupg \
-    locales \
-    python-is-python3 \
-    python3-pip \
-    python3-pycurl \
-    nodejs \
-    npm \
- && locale-gen $LC_ALL \
- && npm install -g configurable-http-proxy@^4.2.0 \
- # clean cache and logs
- && rm -rf /var/lib/apt/lists/* /var/log/* /var/tmp/* ~/.npm
-# install the wheels we built in the previous stage
-RUN --mount=type=cache,from=wheel-builder,source=/src/jupyterhub/wheelhouse,target=/tmp/wheelhouse \
-    # always make sure pip is up to date!
-    python3 -m pip install --no-compile --no-cache-dir --upgrade setuptools pip \
- && python3 -m pip install --no-compile --no-cache-dir /tmp/wheelhouse/*
-
-CMD ["jupyterhub"]
--- a/11
+++ b/11
@@ -0,0 +1,11 @@
+Copyright 2014-, Jupyter Development Team
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/README.md
+++ b/README.md
@@ -58,7 +58,6 @@ for administration of the Hub and its users.
 - A Linux/Unix based system
 - [Python](https://www.python.org/downloads/) 3.8 or greater
 - [nodejs/npm](https://www.npmjs.com/)
-
  - If you are using **`conda`**, the nodejs and npm dependencies will be installed for
    you by conda.

@@ -111,7 +110,7 @@ Visit `http://localhost:8000` in your browser, and sign in with your system user

 _Note_: To allow multiple users to sign in to the server, you will need to
 run the `jupyterhub` command as a _privileged user_, such as root.
-The [wiki](https://github.com/jupyterhub/jupyterhub/wiki/Using-sudo-to-run-JupyterHub-without-root-privileges)
+The [documentation](https://jupyterhub.readthedocs.io/en/latest/howto/configuration/config-sudo.html)
 describes how to run the server as a _less privileged user_, which requires
 more configuration of the system.

@@ -220,7 +219,7 @@ docker container or Linux VM.
 We use a shared copyright model that enables all contributors to maintain the
 copyright on their contributions.

-All code is licensed under the terms of the [revised BSD license](./COPYING.md).
+All code is licensed under the terms of the [revised BSD license](./LICENSE).

 ## Help and resources

--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,5 +1,5 @@
 # Reporting a Vulnerability

 If you believe you’ve found a security vulnerability in a Jupyter
-project, please report it to security@ipython.org. If you prefer to
-encrypt your security reports, you can use [this PGP public key](https://jupyter-notebook.readthedocs.io/en/stable/_downloads/1d303a645f2505a8fd283826fafc9908/ipython_security.asc).
+project, please report it!
+See the [security documentation](https://jupyterhub.readthedocs.org/en/latest/contributing/security.html) for how.
--- a/demo-image/Dockerfile
+++ b/demo-image/Dockerfile
@@ -1,16 +0,0 @@
-# Demo JupyterHub Docker image
-#
-# This should only be used for demo or testing and not as a base image to build on.
-#
-# It includes the notebook package and it uses the DummyAuthenticator and the SimpleLocalProcessSpawner.
-ARG BASE_IMAGE=quay.io/jupyterhub/jupyterhub-onbuild
-FROM ${BASE_IMAGE}
-
-# Install the notebook package
-RUN python3 -m pip install notebook
-
-# Create a demo user
-RUN useradd --create-home demo
-RUN chown demo .
-
-USER demo
--- a/demo-image/README.md
+++ b/demo-image/README.md
@@ -1,26 +0,0 @@
-## Demo Dockerfile
-
-This is a demo JupyterHub Docker image to help you get a quick overview of what
-JupyterHub is and how it works.
-
-It uses the SimpleLocalProcessSpawner to spawn new user servers and
-DummyAuthenticator for authentication.
-The DummyAuthenticator allows you to log in with any username & password and the
-SimpleLocalProcessSpawner allows starting servers without having to create a
-local user for each JupyterHub user.
-
-### Important!
-
-This should only be used for demo or testing purposes!
-It shouldn't be used as a base image to build on.
-
-### Try it
-
-1. `cd` to the root of your jupyterhub repo.
-
-2. Build the demo image with `docker build -t jupyterhub-demo demo-image`.
-
-3. Run the demo image with `docker run -d -p 8000:8000 jupyterhub-demo`.
-
-4. Visit http://localhost:8000 and login with any username and password
-5. Happy demo-ing :tada:!
--- a/demo-image/jupyterhub_config.py
+++ b/demo-image/jupyterhub_config.py
@@ -1,7 +0,0 @@
-# Configuration file for jupyterhub-demo
-
-c = get_config()  # noqa
-
-# Use DummyAuthenticator and SimpleSpawner
-c.JupyterHub.spawner_class = "simple"
-c.JupyterHub.authenticator_class = "dummy"
--- a/dockerfiles/test.py
+++ b/dockerfiles/test.py
@@ -1,14 +0,0 @@
-import os
-
-from jupyterhub._data import DATA_FILES_PATH
-
-print(f"DATA_FILES_PATH={DATA_FILES_PATH}")
-
-for sub_path in (
-    "templates",
-    "static/components",
-    "static/css/style.min.css",
-    "static/js/admin-react.js",
-):
-    path = os.path.join(DATA_FILES_PATH, sub_path)
-    assert os.path.exists(path), path
--- a/docs/Makefile
+++ b/docs/Makefile
@@ -35,7 +35,7 @@ help:
 # - NOTE: If the pre-requisites for the html target is updated, also update the
 #         Read The Docs section in docs/source/conf.py.
 #
-html: metrics scopes
+html: metrics
 	$(SPHINXBUILD) -b html "$(SOURCEDIR)" "$(BUILDDIR)/html" $(SPHINXOPTS)
 	@echo
 	@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
@@ -44,10 +44,6 @@ metrics: source/reference/metrics.md
 source/reference/metrics.md:
 	python3 generate-metrics.py

-scopes: source/rbac/scope-table.md
-source/rbac/scope-table.md:
-	python3 source/rbac/generate-scope-table.py
-

 # Manually added targets - related to development
 # ----------------------------------------------------------------------------
@@ -56,7 +52,7 @@ source/rbac/scope-table.md:
 # - requires sphinx-autobuild, see
 #   https://sphinxcontrib-spelling.readthedocs.io/en/latest/
 # - builds and rebuilds html on changes to source, but does not re-generate
-#   metrics/scopes files
+#   metrics files
 # - starts a livereload enabled webserver and opens up a browser
 devenv: html
 	sphinx-autobuild -b html --open-browser "$(SOURCEDIR)" "$(BUILDDIR)/html"
--- a/docs/requirements.txt
+++ b/docs/requirements.txt
@@ -2,6 +2,7 @@
 # don't depend on it here, as that often results in a duplicate
 # installation of jupyterhub that's already installed
 autodoc-traits
+intersphinx-registry
 jupyterhub-sphinx-theme
 myst-parser>=0.19
 pre-commit
--- a/docs/source/_static/rest-api.yml
+++ b/docs/source/_static/rest-api.yml
@@ -7,7 +7,7 @@ info:
  license:
    name: BSD-3-Clause
    identifier: BSD-3-Clause
-  version: 5.2.1
+  version: 5.4.0
 servers:
  - url: /hub/api
 security:
@@ -62,20 +62,19 @@ paths:
                    properties:
                      class:
                        type: string
-                        description:
-                          The Python class currently active for JupyterHub
-                          Authentication
+                        description: The Python class currently active for 
+                          JupyterHub Authentication
                      version:
                        type: string
-                        description: The version of the currently active Authenticator
+                        description: The version of the currently active 
+                          Authenticator
                  spawner:
                    type: object
                    properties:
                      class:
                        type: string
-                        description:
-                          The Python class currently active for spawning
-                          single-user notebook servers
+                        description: The Python class currently active for 
+                          spawning single-user notebook servers
                      version:
                        type: string
                        description: The version of the currently active Spawner
@@ -258,9 +257,8 @@ paths:
      parameters:
        - $ref: "#/components/parameters/userName"
      requestBody:
-        description:
-          Updated user info. At least one key to be updated (name or admin)
-          is required.
+        description: Updated user info. At least one key to be updated (name or 
+          admin) is required.
        content:
          application/json:
            schema:
@@ -268,14 +266,12 @@ paths:
              properties:
                name:
                  type: string
-                  description:
-                    the new name (optional, if another key is updated i.e.
-                    admin)
+                  description: the new name (optional, if another key is updated
+                    i.e. admin)
                admin:
                  type: boolean
-                  description:
-                    update admin (optional, if another key is updated i.e.
-                    name)
+                  description: update admin (optional, if another key is updated
+                    i.e. name)
        required: true
      responses:
        200:
@@ -291,9 +287,8 @@ paths:
    post:
      operationId: post-user-activity
      summary: Notify Hub of activity for a given user
-      description:
-        Notify the Hub of activity by the user, e.g. accessing a service
-        or (more likely) actively using a server.
+      description: Notify the Hub of activity by the user, e.g. accessing a 
+        service or (more likely) actively using a server.
      parameters:
        - $ref: "#/components/parameters/userName"
      requestBody:
@@ -372,9 +367,8 @@ paths:
          description: The user's notebook server has started
          content: {}
        202:
-          description:
-            The user's notebook server has not yet started, but has been
-            requested
+          description: The user's notebook server has not yet started, but has 
+            been requested
          content: {}
      security:
        - oauth2:
@@ -387,9 +381,8 @@ paths:
        - $ref: "#/components/parameters/userName"
      responses:
        202:
-          description:
-            The user's notebook server has not yet stopped as it is taking
-            a while to stop
+          description: The user's notebook server has not yet stopped as it is 
+            taking a while to stop
          content: {}
        204:
          description: The user's notebook server has stopped
@@ -420,9 +413,8 @@ paths:
          description: The user's notebook named-server has started
          content: {}
        202:
-          description:
-            The user's notebook named-server has not yet started, but has
-            been requested
+          description: The user's notebook named-server has not yet started, but
+            has been requested
          content: {}
      security:
        - oauth2:
@@ -457,9 +449,8 @@ paths:
        required: false
      responses:
        202:
-          description:
-            The user's notebook named-server has not yet stopped as it
-            is taking a while to stop
+          description: The user's notebook named-server has not yet stopped as 
+            it is taking a while to stop
          content: {}
        204:
          description: The user's notebook named-server has stopped
@@ -472,9 +463,8 @@ paths:
    get:
      operationId: get-user-shared
      summary: List servers shared with user
-      description:
-        Returns list of Shares granting the user access to servers owned
-        by others (new in 5.0)
+      description: Returns list of Shares granting the user access to servers 
+        owned by others (new in 5.0)
      parameters:
        - $ref: "#/components/parameters/userName"

@@ -587,12 +577,13 @@ paths:
                expires_in:
                  type: number
                  example: 3600
-                  description:
-                    lifetime (in seconds) after which the requested token
-                    will expire. Omit, or specify null or 0 for no expiration.
+                  description: lifetime (in seconds) after which the requested 
+                    token will expire. Omit, or specify null or 0 for no 
+                    expiration.
                note:
                  type: string
-                  description: A note attached to the token for future bookkeeping
+                  description: A note attached to the token for future 
+                    bookkeeping
                roles:
                  type: array
                  description: |
@@ -770,7 +761,8 @@ paths:
        - $ref: "#/components/parameters/sharedServerName"
      responses:
        200:
-          description: The permissions granted to members of `group` on `owner/server`
+          description: The permissions granted to members of `group` on 
+            `owner/server`
          content:
            application/json:
              schema:
@@ -1185,7 +1177,8 @@ paths:
                        description: |
                          The full URL for accepting the code,
                          if JupyterHub.public_url configuration is defined.
-                        example: https://hub.example.org/hub/accept-share?code=abc123
+                        example: 
+                          https://hub.example.org/hub/accept-share?code=abc123
      security:
        - oauth2:
            - shares
@@ -1262,9 +1255,8 @@ paths:
    get:
      operationId: get-proxy
      summary: Get the proxy's routing table
-      description:
-        A convenience alias for getting the routing table directly from
-        the proxy
+      description: A convenience alias for getting the routing table directly 
+        from the proxy
      parameters:
        - $ref: "#/components/parameters/paginationOffset"
        - $ref: "#/components/parameters/paginationLimit"
@@ -1275,9 +1267,8 @@ paths:
            application/json:
              schema:
                type: object
-                description:
-                  configurable-http-proxy routing table (see configurable-http-proxy
-                  docs for details)
+                description: configurable-http-proxy routing table (see 
+                  configurable-http-proxy docs for details)
      security:
        - oauth2:
            - proxy
@@ -1296,9 +1287,8 @@ paths:
      summary: Notify the Hub about a new proxy
      description: Notifies the Hub of a new proxy to use.
      requestBody:
-        description:
-          Any values that have changed for the new proxy. All keys are
-          optional.
+        description: Any values that have changed for the new proxy. All keys 
+          are optional.
        content:
          application/json:
            schema:
@@ -1389,9 +1379,8 @@ paths:
    get:
      operationId: get-auth-cookie
      summary: Identify a user from a cookie
-      description:
-        Used by single-user notebook servers to hand off cookie authentication
-        to the Hub
+      description: Used by single-user notebook servers to hand off cookie 
+        authentication to the Hub
      parameters:
        - name: cookie_name
          in: path
@@ -1515,14 +1504,12 @@ paths:
              properties:
                proxy:
                  type: boolean
-                  description:
-                    Whether the proxy should be shutdown as well (default
-                    from Hub config)
+                  description: Whether the proxy should be shutdown as well 
+                    (default from Hub config)
                servers:
                  type: boolean
-                  description:
-                    Whether users' notebook servers should be shutdown
-                    as well (default from Hub config)
+                  description: Whether users' notebook servers should be 
+                    shutdown as well (default from Hub config)
        required: false
      responses:
        202:
@@ -1646,6 +1633,11 @@ components:
        name:
          type: string
          description: The user's name
+        kind:
+          type: string
+          description: the string 'user' to distinguish from 'service'
+          enum:
+            - user
        admin:
          type: boolean
          description: Whether the user is an admin
@@ -1661,9 +1653,8 @@ components:
            type: string
        server:
          type: string
-          description:
-            The user's notebook server's base URL, if running; null if
-            not.
+          description: The user's notebook server's base URL, if running; null 
+            if not.
        pending:
          type: string
          description: The currently pending action, if any
@@ -1694,9 +1685,8 @@ components:
      properties:
        name:
          type: string
-          description:
-            The server's name. The user's default server has an empty name
-            ('')
+          description: The server's name. The user's default server has an empty
+            name ('')
        ready:
          type: boolean
          description: |
@@ -1758,16 +1748,14 @@ components:
        state:
          type: object
          properties: {}
-          description:
-            Arbitrary internal state from this server's spawner. Only available
-            on the hub's users list or get-user-by-name method, and only with admin:users:server_state
-            scope. None otherwise.
+          description: Arbitrary internal state from this server's spawner. Only
+            available on the hub's users list or get-user-by-name method, and 
+            only with admin:users:server_state scope. None otherwise.
        user_options:
          type: object
          properties: {}
-          description:
-            User specified options for the user's spawned instance of a
-            single-user server.
+          description: User specified options for the user's spawned instance of
+            a single-user server.
    RequestIdentity:
      description: |
        The model for the entity making the request.
@@ -1784,6 +1772,13 @@ components:
              service: "#/components/schemas/Service"
        - type: object
          properties:
+            kind:
+              type: string
+              description: |
+                'user' or 'service' depending on the entity which owns the token
+              enum:
+                - user
+                - service
            session_id:
              type:
                - string
@@ -1820,6 +1815,11 @@ components:
        name:
          type: string
          description: The group's name
+        kind:
+          type: string
+          description: Always the string 'group'
+          enum:
+            - group
        users:
          type: array
          description: The names of users who are members of this group
@@ -1845,6 +1845,11 @@ components:
        name:
          type: string
          description: The service's name
+        kind:
+          type: string
+          description: the string 'service' to distinguish from 'user'
+          enum:
+            - service
        admin:
          type: boolean
          description: Whether the service is an admin
@@ -1918,9 +1923,8 @@ components:
          items:
            type: string
        group:
-          description:
-            the group being shared with (exactly one of 'user' or 'group'
-            will be non-null, the other will be null)
+          description: the group being shared with (exactly one of 'user' or 
+            'group' will be non-null, the other will be null)
          type:
            - object
            - "null"
@@ -1928,9 +1932,8 @@ components:
            name:
              type: string
        user:
-          description:
-            the user being shared with (exactly one of 'user' or 'group'
-            will be non-null, the other will be null)
+          description: the user being shared with (exactly one of 'user' or 
+            'group' will be non-null, the other will be null)
          type:
            - object
            - "null"
@@ -1943,9 +1946,8 @@ components:
          format: date-time

    ShareCode:
-      description:
-        A single sharing code. There is at most one of these objects per
-        (server, user) or (server, group) combination.
+      description: A single sharing code. There is at most one of these objects 
+        per (server, user) or (server, group) combination.
      type: object
      properties:
        server:
@@ -1980,41 +1982,41 @@ components:
      properties:
        id:
          type: string
-          description:
-            The id of the API token. Used for modifying or deleting the
-            token.
+          description: The id of the API token. Used for modifying or deleting 
+            the token.
        user:
          type: string
-          description: The user that owns a token (undefined if owned by a service)
+          description: The user that owns a token (undefined if owned by a 
+            service)
        service:
          type: string
-          description: The service that owns the token (undefined of owned by a user)
+          description: The service that owns the token (undefined of owned by a 
+            user)
        roles:
          type: array
-          description:
-            Deprecated in JupyterHub 3, always an empty list. Tokens have
-            'scopes' starting from JupyterHub 3.
+          description: Deprecated in JupyterHub 3, always an empty list. Tokens 
+            have 'scopes' starting from JupyterHub 3.
          items:
            type: string
        scopes:
          type: array
-          description:
-            List of scopes this token has been assigned. New in JupyterHub
-            3. In JupyterHub 2.x, tokens were assigned 'roles' instead of scopes.
+          description: List of scopes this token has been assigned. New in 
+            JupyterHub 3. In JupyterHub 2.x, tokens were assigned 'roles' 
+            instead of scopes.
          items:
            type: string
        note:
          type: string
-          description:
-            A note about the token, typically describing what it was created
-            for.
+          description: A note about the token, typically describing what it was 
+            created for.
        created:
          type: string
          description: Timestamp when this token was created
          format: date-time
        expires_at:
          type: string
-          description: Timestamp when this token expires. Null if there is no expiry.
+          description: Timestamp when this token expires. Null if there is no 
+            expiry.
          format: date-time
        last_activity:
          type: string
@@ -2037,46 +2039,45 @@ components:
      properties:
        token:
          type: string
-          description:
-            The token itself. Only present in responses to requests for
-            a new token.
+          description: The token itself. Only present in responses to requests 
+            for a new token.
        id:
          type: string
-          description:
-            The id of the API token. Used for modifying or deleting the
-            token.
+          description: The id of the API token. Used for modifying or deleting 
+            the token.
        user:
          type: string
-          description: The user that owns a token (undefined if owned by a service)
+          description: The user that owns a token (undefined if owned by a 
+            service)
        service:
          type: string
-          description: The service that owns the token (undefined of owned by a user)
+          description: The service that owns the token (undefined of owned by a 
+            user)
        roles:
          type: array
-          description:
-            Deprecated in JupyterHub 3, always an empty list. Tokens have
-            'scopes' starting from JupyterHub 3.
+          description: Deprecated in JupyterHub 3, always an empty list. Tokens 
+            have 'scopes' starting from JupyterHub 3.
          items:
            type: string
        scopes:
          type: array
-          description:
-            List of scopes this token has been assigned. New in JupyterHub
-            3. In JupyterHub 2.x, tokens were assigned 'roles' instead of scopes.
+          description: List of scopes this token has been assigned. New in 
+            JupyterHub 3. In JupyterHub 2.x, tokens were assigned 'roles' 
+            instead of scopes.
          items:
            type: string
        note:
          type: string
-          description:
-            A note about the token, typically describing what it was created
-            for.
+          description: A note about the token, typically describing what it was 
+            created for.
        created:
          type: string
          description: Timestamp when this token was created
          format: date-time
        expires_at:
          type: string
-          description: Timestamp when this token expires. Null if there is no expiry.
+          description: Timestamp when this token expires. Null if there is no 
+            expiry.
          format: date-time
        last_activity:
          type: string
@@ -2106,28 +2107,23 @@ components:
          tokenUrl: /hub/api/oauth2/token
          scopes:
            (no_scope): Identify the owner of the requesting entity.
-            self:
-              The user’s own resources _(metascope for users, resolves to (no_scope)
-              for services)_
-            inherit:
-              Everything that the token-owning entity can access _(metascope
-              for tokens)_
-            admin-ui:
-              Access the admin page. Permission to take actions via the admin
-              page granted separately.
-            admin:users:
-              Read, modify, create, and delete users and their authentication
-              state, not including their servers or tokens. This is an extremely privileged
-              scope and should be considered tantamount to superuser.
+            self: The user’s own resources _(metascope for users, resolves to 
+              (no_scope) for services)_
+            inherit: Everything that the token-owning entity can access 
+              _(metascope for tokens)_
+            admin-ui: Access the admin page. Permission to take actions via the 
+              admin page granted separately.
+            admin:users: Read, modify, create, and delete users and their 
+              authentication state, not including their servers or tokens. This 
+              is an extremely privileged scope and should be considered 
+              tantamount to superuser.
            admin:auth_state: Read a user’s authentication state.
-            users:
-              Read and write permissions to user models (excluding servers, tokens
-              and authentication state).
+            users: Read and write permissions to user models (excluding servers,
+              tokens and authentication state).
            delete:users: Delete users.
            list:users: List users, including at least their names.
-            read:users:
-              Read user models (including servers, tokens and authentication
-              state).
+            read:users: Read user models (including the URL of the default 
+              server if it is running).
            read:users:name: Read names of users.
            read:users:groups: Read users’ group membership.
            read:users:activity: Read time of last user activity.
@@ -2136,28 +2132,25 @@ components:
            read:roles:services: Read service role assignments.
            read:roles:groups: Read group role assignments.
            users:activity: Update time of last user activity.
-            admin:servers:
-              Read, start, stop, create and delete user servers and their
-              state.
+            admin:servers: Read, start, stop, create and delete user servers and
+              their state.
            admin:server_state: Read and write users’ server state.
            servers: Start and stop user servers.
-            read:servers:
-              Read users’ names and their server models (excluding the
-              server state).
+            read:servers: Read users’ names and their server models (excluding 
+              the server state).
            delete:servers: Stop and delete users' servers.
            tokens: Read, write, create and delete user tokens.
            read:tokens: Read user tokens.
-            admin:groups: Read and write group information, create and delete groups.
-            groups:
-              "Read and write group information, including adding/removing any
-              users to/from groups. Note: adding users to groups may affect permissions."
+            admin:groups: Read and write group information, create and delete 
+              groups.
+            groups: 'Read and write group information, including adding/removing any
+              users to/from groups. Note: adding users to groups may affect permissions.'
            list:groups: List groups, including at least their names.
            read:groups: Read group models.
            read:groups:name: Read group names.
            delete:groups: Delete groups.
-            admin:services:
-              Create, read, update, delete services, not including services
-              defined from config files.
+            admin:services: Create, read, update, delete services, not including
+              services defined from config files.
            list:services: List services, including at least their names.
            read:services: Read service models.
            read:services:name: Read service names.
@@ -2170,8 +2163,7 @@ components:
            read:groups:shares: Read servers shared with a group.
            read:shares: Read information about shared access to servers.
            shares: Manage access to shared servers.
-            proxy:
-              Read information about the proxy’s routing table, sync the Hub
-              with the proxy and notify the Hub about a new proxy.
+            proxy: Read information about the proxy’s routing table, sync the 
+              Hub with the proxy and notify the Hub about a new proxy.
            shutdown: Shutdown the hub.
            read:metrics: Read prometheus metrics.
--- a/docs/source/conf.py
+++ b/docs/source/conf.py
@@ -12,6 +12,7 @@ from pathlib import Path
 from urllib.request import urlretrieve

 from docutils import nodes
+from intersphinx_registry import get_intersphinx_mapping
 from ruamel.yaml import YAML
 from sphinx.directives.other import SphinxDirective
 from sphinx.util import logging
@@ -261,6 +262,7 @@ html_static_path = ["_static"]

 html_theme = "jupyterhub_sphinx_theme"
 html_theme_options = {
+    "header_links_before_dropdown": 6,
    "icon_links": [
        {
            "name": "GitHub",
@@ -294,7 +296,13 @@ linkcheck_ignore = [
    r"https://linux.die.net/.*",  # linux.die.net seems to block requests from CI with 403 sometimes
    # don't check links to unpublished advisories
    r"https://github.com/jupyterhub/jupyterhub/security/advisories/.*",
+    # Occasionally blocks CI checks with 403
+    r"https://www\.mysql\.com",
+    r"https://www\.npmjs\.com",
+    # Occasionally blocks CI checks with SSL error
+    r"https://mediaspace\.msu\.edu/.*",
 ]
+
 linkcheck_anchors_ignore = [
    "/#!",
    "/#%21",
@@ -303,12 +311,15 @@ linkcheck_anchors_ignore = [
 # -- Intersphinx -------------------------------------------------------------
 # ref: https://www.sphinx-doc.org/en/master/usage/extensions/intersphinx.html#configuration
 #
-intersphinx_mapping = {
-    "python": ("https://docs.python.org/3/", None),
-    "tornado": ("https://www.tornadoweb.org/en/stable/", None),
-    "jupyter-server": ("https://jupyter-server.readthedocs.io/en/stable/", None),
-    "nbgitpuller": ("https://nbgitpuller.readthedocs.io/en/latest", None),
+
+intersphinx_mapping = get_intersphinx_mapping(
+    packages={
+        "python",
+        "tornado",
+        "jupyter-server",
+        "nbgitpuller",
    }
+)

 # -- Options for the opengraph extension -------------------------------------
 # ref: https://github.com/wpilibsuite/sphinxext-opengraph#options
--- a/docs/source/contributing/community.md
+++ b/docs/source/contributing/community.md
@@ -2,19 +2,31 @@

 # Community communication channels

+```{note}
+Our community is distributed across the world in various timezones, so please be patient if you do not get a response immediately!
+```
+
 We use different channels of communication for different purposes. Whichever one you use will depend on what kind of communication you want to engage in.

 ## Discourse (recommended)

-We use [Discourse](https://discourse.jupyter.org) for online discussions and support questions.
-You can ask questions here if you are a first-time contributor to the JupyterHub project.
-Everyone in the Jupyter community is welcome to bring ideas and questions there.
+```{note}
+[Discourse] is open source.
+```

-We recommend that you first use our Discourse as all past and current discussions on it are archived and searchable. Thus, all discussions remain useful and accessible to the whole community.
+We use [Jupyter instance of Discourse] for online discussions and support questions.
+You can ask questions at [Jupyter instance of Discourse] if you are a first-time contributor to the JupyterHub project.
+Everyone is welcome to bring ideas and questions at [Jupyter instance of Discourse].

-## Gitter
+We recommend that you first use [Jupyter instance of Discourse] as all past and current discussions on it are archived and searchable. Thus, all discussions remain useful and accessible to the whole community.

-We use [our Gitter channel](https://gitter.im/jupyterhub/jupyterhub) for online, real-time text chat; a place for more ephemeral discussions. When you're not on Discourse, you can stop here to have other discussions on the fly.
+## Zulip
+
+```{note}
+[Zulip] is open source.
+```
+
+We use [Jupyter instance of Zulip] for online, real-time text chat; a place for more ephemeral discussions. When you're not on [Jupyter instance of Discourse], you can stop at [Jupyter instance of Zulip] to have other discussions on the fly.

 ## Github Issues

@@ -24,6 +36,7 @@ We use [our Gitter channel](https://gitter.im/jupyterhub/jupyterhub) for online,
 - If you are using a specific JupyterHub distribution (such as [Zero to JupyterHub on Kubernetes](https://github.com/jupyterhub/zero-to-jupyterhub-k8s) or [The Littlest JupyterHub](https://github.com/jupyterhub/the-littlest-jupyterhub/)), you should open issues directly in their repository.
 - If you cannot find a repository to open your issue in, do not worry! Open the issue in the [main JupyterHub repository](https://github.com/jupyterhub/jupyterhub/) and our community will help you figure it out.

-```{note}
-Our community is distributed across the world in various timezones, so please be patient if you do not get a response immediately!
-```
+[Discourse]: https://www.discourse.org/
+[Jupyter instance of Discourse]: https://discourse.jupyter.org
+[Jupyter instance of Zulip]: https://jupyter.zulipchat.com/
+[Zulip]: https://zulip.com/
--- a/docs/source/contributing/docs.md
+++ b/docs/source/contributing/docs.md
@@ -5,49 +5,42 @@
 Documentation is often more important than code. This page helps
 you get set up on how to contribute to JupyterHub's documentation.

+We use [Sphinx](https://www.sphinx-doc.org) to build our documentation. It takes
+our documentation source files (written in [Markedly Structured Text (MyST)](https://mystmd.org/) and
+stored under the `docs/source` directory) and converts it into various
+formats for people to read.
+
 ## Building documentation locally

-We use [sphinx](https://www.sphinx-doc.org) to build our documentation. It takes
-our documentation source files (written in [markdown](https://daringfireball.net/projects/markdown/) or [reStructuredText](https://www.sphinx-doc.org/en/master/usage/restructuredtext/basics.html) &
-stored under the `docs/source` directory) and converts it into various
-formats for people to read. To make sure the documentation you write or
+To make sure the documentation you write or
 change renders correctly, it is good practice to test it locally.

-1. Make sure you have successfully completed {ref}`contributing:setup`.
+```{note}
+You will need Python and Git installed. Installation details are avaiable at {ref}`contributing:setup`.
+```

-2. Install the packages required to build the docs.
+1. Install the packages required to build the docs.

   ```bash
   python3 -m pip install -r docs/requirements.txt
+   python3 -m pip install sphinx-autobuild
   ```

-3. Build the html version of the docs. This is the most commonly used
+2. Build the HTML version of the docs. This is the most commonly used
   output format, so verifying it renders correctly is usually good
   enough.

   ```bash
-   cd docs
-   make html
+   sphinx-autobuild docs/source/ docs/_build/html
   ```

   This step will display any syntax or formatting errors in the documentation,
   along with the filename / line number in which they occurred. Fix them,
-   and re-run the `make html` command to re-render the documentation.
+   and the HTML will be re-render automatically.

-4. View the rendered documentation by opening `_build/html/index.html` in
+3. View the rendered documentation by opening <http://127.0.0.1:8000> in
   a web browser.

-   :::{tip}
-   **On Windows**, you can open a file from the terminal with `start <path-to-file>`.
-
-   **On macOS**, you can do the same with `open <path-to-file>`.
-
-   **On Linux**, you can do the same with `xdg-open <path-to-file>`.
-
-   After opening index.html in your browser you can just refresh the page whenever
-   you rebuild the docs via `make html`
-   :::
-
 (contributing-docs-conventions)=

 ## Documentation conventions
@@ -67,10 +60,10 @@ approach:
 python3 -m pip
 ```

-This invokes pip explicitly using the python3 binary that you are
+This invokes `pip` explicitly using the `python3` binary that you are
 currently using. This is the **recommended way** to invoke pip
 in our documentation, since it is least likely to cause problems
-with python3 and pip being from different environments.
+with `python3` and `pip` being from different environments.

 For more information on how to invoke `pip` commands, see
-[the pip documentation](https://pip.pypa.io/en/stable/).
+[the `pip` documentation](https://pip.pypa.io/en/stable/).
--- a/docs/source/contributing/index.md
+++ b/docs/source/contributing/index.md
@@ -3,7 +3,7 @@
 # Contributing

 We want you to contribute to JupyterHub in ways that are most exciting
-and useful to you. We value documentation, testing, bug reporting & code equally,
+and useful to you. We value documentation, testing, bug reporting and code equally,
 and are glad to have your contributions in whatever form you wish.

 Be sure to first check our [Code of Conduct](https://github.com/jupyter/governance/blob/HEAD/conduct/code_of_conduct.md)
--- a/docs/source/contributing/security.md
+++ b/docs/source/contributing/security.md
@@ -5,7 +5,11 @@
 If you find a security vulnerability in Jupyter or JupyterHub,
 whether it is a failure of the security model described in [Security Overview](explanation:security)
 or a failure in implementation,
-please report it to <mailto:security@ipython.org>.
+please report it!

+Please use GitHub's "Report a Vulnerability" button under Security > Advisories on the appropriate repo,
+e.g. [report here for JupyterHub](https://github.com/jupyterhub/jupyterhub/security/advisories).
+
+You may also send an email to <mailto:security@ipython.org>, but the GitHub reporting system is preferred.
 If you prefer to encrypt your security reports,
 you can use {download}`this PGP public key </ipython_security.asc>`.
--- a/docs/source/contributing/setup.md
+++ b/docs/source/contributing/setup.md
@@ -2,37 +2,56 @@

 # Setting up a development install

+JupyterHub's continuous integration runs on [Ubuntu LTS](https://ubuntu.com/).
+
+While JupyterHub is only tested on one [Linux distribution](https://en.wikipedia.org/wiki/Linux_distribution),
+it should be fairly insensitive to variations between common [POXIS](https://en.wikipedia.org/wiki/POSIX) implementation,
+though we don't have the bandwidth to verify this automatically and continuously.
+
+Feel free to try it on your platform, and be sure to {ref}`let us know <contributing:community>` about any issues you encounter.
+
 ## System requirements

-JupyterHub can only run on macOS or Linux operating systems. If you are
-using Windows, we recommend using [VirtualBox](https://virtualbox.org)
-or a similar system to run [Ubuntu Linux](https://ubuntu.com) for
-development.
+Your system **must** be able to run
+
+- Python
+- NodeJS
+- Git
+
+Our small team knows JupyterHub to work perfectly on macOS or Linux operating systems.
+
+```{admonition} What about Windows?
+Some users have reported that JupyterHub runs successfully on [Windows Subsystem for Linux (WSL)](https://learn.microsoft.com/en-us/windows/wsl/). We have no plans to support Windows outside of the WSL.
+```
+
+```{admonition} What about virtualization?
+Using any form of virtualization (for example, [VirtualBox](https://www.virtualbox.org/), [Docker](https://www.docker.com/), [Podman](https://podman.io/), [WSL](https://learn.microsoft.com/en-us/windows/wsl/)) is a good way to get up and running quickly, though properly configuring the networking settings can be a bit tricky.
+```

 ### Install Python

-JupyterHub is written in the [Python](https://python.org) programming language and
+JupyterHub is written in the [Python](https://www.python.org) programming language and
 requires you have at least version {{python_min}} installed locally. If you haven’t
 installed Python before, the recommended way to install it is to use
 [Miniforge](https://github.com/conda-forge/miniforge#download).

-### Install nodejs
+### Install NodeJS

-[NodeJS {{node_min}}+](https://nodejs.org/en/) is required for building some JavaScript components.
-`configurable-http-proxy`, the default proxy implementation for JupyterHub, is written in Javascript.
+Some JavaScript components require you have at least version {{node_min}} of [NodeJS](https://nodejs.org/en/) installed locally.
+`configurable-http-proxy`, the default proxy implementation for JupyterHub, is written in JavaScript.
 If you have not installed NodeJS before, we recommend installing it in the `miniconda` environment you set up for Python.
 You can do so with `conda install nodejs`.

 Many in the Jupyter community use [`nvm`](https://github.com/nvm-sh/nvm) to
 managing node dependencies.

-### Install git
+### Install Git

-JupyterHub uses [Git](https://git-scm.com) & [GitHub](https://github.com)
-for development & collaboration. You need to [install git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) to work on
-JupyterHub. We also recommend getting a free account on GitHub.com.
+JupyterHub uses [Git](https://git-scm.com) and [GitHub](https://github.com)
+for development and collaboration. You need to [install Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) to work on
+JupyterHub. We also recommend getting a free account on GitHub.

-## Setting up a development install
+## Install JupyterHub for development

 When developing JupyterHub, you would need to make changes and be able to instantly view the results of the changes. To achieve that, a developer install is required.

@@ -44,7 +63,7 @@ be achieved in many ways, for example, `tox`, `conda`, `docker`, etc. See this
 a more detailed discussion.
 :::

-1. Clone the [JupyterHub git repository](https://github.com/jupyterhub/jupyterhub)
+1. Clone the [JupyterHub Git repository](https://github.com/jupyterhub/jupyterhub)
   to your computer.

   ```bash
@@ -65,7 +84,7 @@ a more detailed discussion.
   npm -v
   ```

-   This should return a version number greater than or equal to 5.0.
+   This should return a version number greater than or equal to {{node_min}}.

 3. Install `configurable-http-proxy` (required to run and test the default JupyterHub configuration):

@@ -92,7 +111,7 @@ a more detailed discussion.

 4. Install an editable version of JupyterHub and its requirements for
   development and testing. This lets you edit JupyterHub code in a text editor
-   & restart the JupyterHub process to see your code changes immediately.
+   and restart the JupyterHub process to see your code changes immediately.

   ```bash
   python3 -m pip install --editable ".[test]"
@@ -109,7 +128,7 @@ a more detailed discussion.

 Happy developing!

-## Using DummyAuthenticator & SimpleLocalProcessSpawner
+## Using DummyAuthenticator and SimpleLocalProcessSpawner

 To simplify testing of JupyterHub, it is helpful to use
 {class}`~jupyterhub.auth.DummyAuthenticator` instead of the default JupyterHub
@@ -132,17 +151,17 @@ The test configuration enables a few things to make testing easier:
 - disable caching of static files

 The default JupyterHub [authenticator](PAMAuthenticator)
-& [spawner](LocalProcessSpawner)
+and [spawner](LocalProcessSpawner)
 require your system to have user accounts for each user you want to log in to
 JupyterHub as.

-DummyAuthenticator allows you to log in with any username & password,
+DummyAuthenticator allows you to log in with any username and password,
 while SimpleLocalProcessSpawner allows you to start servers without having to
 create a Unix user for each JupyterHub user. Together, these make it
 much easier to test JupyterHub.

 Tip: If you are working on parts of JupyterHub that are common to all
-authenticators & spawners, we recommend using both DummyAuthenticator &
+authenticators and spawners, we recommend using both DummyAuthenticator and
 SimpleLocalProcessSpawner. If you are working on just authenticator-related
 parts, use only SimpleLocalProcessSpawner. Similarly, if you are working on
 just spawner-related parts, use only DummyAuthenticator.
--- a/docs/source/contributing/tests.md
+++ b/docs/source/contributing/tests.md
@@ -6,16 +6,22 @@ Unit testing helps to validate that JupyterHub works the way we think it does,
 and continues to do so when changes occur. They also help communicate
 precisely what we expect our code to do.

-JupyterHub uses [pytest](https://pytest.org) for all the tests. You
-can find them under the [jupyterhub/tests](https://github.com/jupyterhub/jupyterhub/tree/main/jupyterhub/tests) directory in the git repository.
+JupyterHub uses [`pytest`](https://pytest.org) for all the tests. You
+can find them under the [jupyterhub/tests](https://github.com/jupyterhub/jupyterhub/tree/main/jupyterhub/tests) directory in the Git repository.

-## Running the tests
-
-1. Make sure you have completed {ref}`contributing:setup`.
+```{note}
+Before run any test, make sure you have completed {ref}`contributing:setup`.
 Once you are done, you would be able to run `jupyterhub` from the command line and access it from your web browser.
-   This ensures that the dev environment is properly set up for tests to run.
+This ensures that the development environment is properly set up for tests to run.
+```

-2. You can run all tests in JupyterHub
+```{note}
+For details of `pytest`, refer to the [`pytest` usage documentation](https://pytest.readthedocs.io/en/latest/usage.html).
+```
+
+## Running all the tests
+
+You can run all tests in JupyterHub

 ```bash
 pytest -v jupyterhub/tests
@@ -30,13 +36,17 @@ can find them under the [jupyterhub/tests](https://github.com/jupyterhub/jupyter
 pytest -v --cov=jupyterhub jupyterhub/tests
 ```

-3. You can also run tests in just a specific file:
+## Running tests from a specific file
+
+You can also run tests in just a specific file:

 ```bash
 pytest -v jupyterhub/tests/<test-file-name>
 ```

-4. To run a specific test only, you can do:
+## Running a single test
+
+To run a specific test only, you can do:

 ```bash
 pytest -v jupyterhub/tests/<test-file-name>::<test-name>
@@ -53,14 +63,12 @@ can find them under the [jupyterhub/tests](https://github.com/jupyterhub/jupyter
 pytest -v jupyterhub/tests/test_api.py::test_shutdown
 ```

-   For more details, refer to the [pytest usage documentation](https://pytest.readthedocs.io/en/latest/usage.html).
-
 ## Test organisation

 The tests live in `jupyterhub/tests` and are organized roughly into:

-1. `test_api.py` tests the REST API
-2. `test_pages.py` tests loading the HTML pages
+1. `test_api.py`: tests the REST API
+2. `test_pages.py`: tests loading the HTML pages

 and other collections of tests for different components.
 When writing a new test, there should usually be a test of
@@ -126,7 +134,7 @@ For more information on asyncio and event-loops, here are some resources:

 ### All the tests are failing

-Make sure you have completed all the steps in {ref}`contributing:setup` successfully, and are able to access JupyterHub from your browser at http://localhost:8000 after starting `jupyterhub` in your command line.
+Make sure you have completed all the steps in {ref}`contributing:setup` successfully, and are able to access JupyterHub from your browser at <http://localhost:8000> after starting `jupyterhub` in your command line.

 ## Code formatting and linting

--- a/docs/source/explanation/capacity-planning.md
+++ b/docs/source/explanation/capacity-planning.md
@@ -208,7 +208,7 @@ mybinder.org node CPU usage is low with 50-150 users sharing just 8 cores

 ### Concurrent users and culling idle servers

-Related to [][idleness], all of these resource consumptions and limits are calculated based on **concurrently active users**,
+Related to [](idleness), all of these resource consumptions and limits are calculated based on **concurrently active users**,
 not total users.
 You might have 10,000 users of your JupyterHub deployment, but only 100 of them running at any given time.
 That 100 is the main number you need to use for your capacity planning.
--- a/docs/source/explanation/concepts.md
+++ b/docs/source/explanation/concepts.md
@@ -88,7 +88,7 @@ The following authenticators are included with JupyterHub:
  of a ssh server, but providing a web-browser based way to access the
  machine.

-There are [plenty of others to choose from](https://github.com/jupyterhub/jupyterhub/wiki/Authenticators).
+There are [plenty of others to choose from](authenticators-reference).
 You can connect to almost any other existing service to manage your
 users. You either use all users from this other service (e.g. your
 company), or enable only the allowed users (e.g. your group's
--- a/docs/source/explanation/database.md
+++ b/docs/source/explanation/database.md
@@ -108,26 +108,29 @@ Doing so generally involves:
 ### Default backend: SQLite

 The default database backend for JupyterHub is [SQLite](https://sqlite.org).
-We have chosen SQLite as JupyterHub's default because it's simple (the 'database' is a single file) and ubiquitous (it is in the Python standard library).
-It works very well for testing, small deployments, and workshops.
+We have chosen SQLite as JupyterHub's default because it's simple (the 'database' is a single file), ubiquitous (it is in the Python standard library), and it does not require maintaining a separate database server.

-For production systems, SQLite has some disadvantages when used with JupyterHub:
+The main disadvantage of SQLite is it does not support remote backup tools or replication.
+You should backup your database by taking snapshots of the file (`jupyterhub.sqlite`).

- `upgrade-db` may not always work, and you may need to start with a fresh database
- `downgrade-db` **will not** work if you want to rollback to an earlier
-  version, so backup the `jupyterhub.sqlite` file before upgrading (JupyterHub automatically creates a date-stamped backup file when upgrading sqlite)
+SQLite is ideal for testing, small deployments, workshops, and production servers where you do not require remote backup or replication.
+
+### Picking your database backend (PostgreSQL, MySQL)

 The sqlite documentation provides a helpful page about [when to use SQLite and
 where traditional RDBMS may be a better choice](https://sqlite.org/whentouse.html).

-### Picking your database backend (PostgreSQL, MySQL)
-
-When running a long term deployment or a production system, we recommend using a full-fledged relational database, such as [PostgreSQL](https://www.postgresql.org) or [MySQL](https://www.mysql.com), that supports the SQL `ALTER TABLE` statement, which is used in some database upgrade steps.
-
 In general, you select your database backend with [](JupyterHub.db_url), and can further configure it (usually not necessary) with [](JupyterHub.db_kwargs).

 ## Notes and Tips

+### Upgrading the JupyterHub database
+
+[Upgrading JupyterHub to a new major release](howto:upgrading-jupyterhub) often requires an upgrade to the database schema.
+
+- `jupyterhub upgrade-db` will execute a schema upgrade. You should backup your database before running this.
+- `jupyterhub downgrade-db` may be able to revert a schema upgrade on PostgreSQL and MySQL, but this is not guaranteed to work, and is not supported.
+
 ### SQLite

 The SQLite database should not be used on NFS. SQLite uses reader/writer locks
--- a/docs/source/explanation/oauth.md
+++ b/docs/source/explanation/oauth.md
@@ -98,7 +98,7 @@ the OAuth callback request.
  to retrieve information about the owner of the token (the user).
  This is the step where behavior diverges for different OAuth providers.
  Up to this point, all OAuth providers are the same, following the OAuth specification.
-  However, OAuth does not define a standard for issuing tokens in exchange for information about their owner or permissions ([OpenID Connect](https://openid.net/connect/) does that),
+  However, OAuth does not define a standard for issuing tokens in exchange for information about their owner or permissions ([OpenID Connect](https://openid.net/developers/how-connect-works/) does that),
  so this step may be different for each OAuth provider.
 - Finally, the OAuth client stores its own record that the user is authorized in a cookie.
  This could be the token itself, or any other appropriate representation of successful authentication.
--- a/docs/source/explanation/websecurity.md
+++ b/docs/source/explanation/websecurity.md
@@ -101,7 +101,7 @@ matching `*.jupyter.example.org`.
 Unfortunately, for many institutional domains, wildcard DNS and SSL may not be available.

 We also **strongly encourage** serving JupyterHub and user content on a domain that is _not_ a subdomain of any sensitive content.
-For reasoning, see [GitHub's discussion of moving user content to github.io from \*.github.com](https://github.blog/2013-04-09-yummy-cookies-across-domains/).
+For reasoning, see [GitHub's discussion of moving user content to github.io from \*.github.com](https://github.blog/engineering/yummy-cookies-across-domains/).

 **If you do plan to serve untrusted users, enabling subdomains is highly encouraged**,
 as it resolves many security issues, which are difficult to unavoidable when JupyterHub is on a single-domain.
@@ -186,7 +186,6 @@ For example:

 - `Content-Security-Policy` header must prohibit popups and iframes from the same origin.
  The following Content-Security-Policy rules are _insecure_ and readily enable users to access each others' servers:
-
  - `frame-ancestors: 'self'`
  - `frame-ancestors: '*'`
  - `sandbox allow-popups`
--- a/docs/source/faq/institutional-faq.md
+++ b/docs/source/faq/institutional-faq.md
@@ -142,7 +142,7 @@ in a variety of deployment setups. This often entails connecting your JupyterHub
 in these cases, and the security of your JupyterHub deployment will often depend on these decisions.

 If you are worried about security, don't hesitate to reach out to the JupyterHub community in the
-[Jupyter Community Forum](https://discourse.jupyter.org/c/jupyterhub). This community of practice has many
+[Jupyter Community Forum](https://discourse.jupyter.org/c/jupyterhub/10). This community of practice has many
 individuals with experience running secure JupyterHub deployments and will be very glad to help you out.

 ### Does JupyterHub provide computing or data infrastructure?
--- a/docs/source/faq/troubleshooting.md
+++ b/docs/source/faq/troubleshooting.md
@@ -306,6 +306,52 @@ notebook servers to default to JupyterLab:

 Users will need a GitHub account to log in and be authenticated by the Hub.

+### I'm seeing "403 Forbidden XSRF cookie does not match POST" when users try to login
+
+During login, JupyterHub takes the request IP into account for CSRF protection.
+If proxies are not configured to properly set forwarded ips,
+JupyterHub will see all requests as coming from an internal ip,
+likely the ip of the proxy itself.
+You can see this in the JupyterHub logs, which log the ip address of requests.
+If most requests look like they are coming from a small number `10.0.x.x` or `172.16.x.x` ips, the proxy is not forwarding the true request ip properly.
+If the proxy has multiple replicas,
+then it is likely the ip may change from one request to the next,
+leading to this error during login:
+
+> 403 Forbidden XSRF cookie does not match POST argument
+
+The best way to fix this is to ensure your proxies set the forwarded headers, e.g. for nginx:
+
+```nginx
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header Host $http_host;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+```
+
+But if this is not available to you, you can instruct jupyterhub to ignore IPs from certain networks
+with the environment variable `$JUPYTERHUB_XSRF_ANONYMOUS_IP_CIDRS`.
+For example, to ignore the common [private networks](https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses):
+
+```bash
+export JUPYTERHUB_XSRF_ANONYMOUS_IP_CIDRS="10.0.0.0/8;172.16.0.0/12;192.168.0.0/16"
+```
+
+The result will be that any request from an ip on one of these networks will be treated as coming from the same source.
+
+To totally disable taking the ip into consideration, set
+
+```bash
+export JUPYTERHUB_XSRF_ANONYMOUS_IP_CIDRS="0.0.0.0/0"
+```
+
+If your proxy sets its own headers to identify a browser origin, you can instruct JupyterHub to use those:
+
+```bash
+export JUPYTERHUB_XSRF_ANONYMOUS_ID_HEADERS="My-Custom-Header;User-Agent"
+```
+
+Again, these things are only used to compute the XSRF token used while a user is not logged in (i.e. during login itself).
+
 ### How do I set up rotating daily logs?

 You can do this with [logrotate](https://linux.die.net/man/8/logrotate),
--- a/docs/source/howto/configuration/config-sudo.md
+++ b/docs/source/howto/configuration/config-sudo.md
@@ -35,7 +35,7 @@ This user shouldn't have a login shell or password (possible with -r).

 ## Set up sudospawner

-Next, you will need [sudospawner](https://github.com/jupyter/sudospawner)
+Next, you will need [sudospawner](https://github.com/jupyterhub/sudospawner)
 to enable monitoring the single-user servers with sudo:

 ```bash
@@ -72,7 +72,7 @@ rhea ALL=(JUPYTER_USERS) NOPASSWD:JUPYTER_CMD
 ```

 It might be useful to modify `secure_path` to add commands in path. (Search for
-`secure_path` in the [sudo docs](https://www.sudo.ws/man/1.8.14/sudoers.man.html)
+`secure_path` in the [sudo docs](https://www.sudo.ws)

 As an alternative to adding every user to the `/etc/sudoers` file, you can
 use a group in the last line above, instead of `JUPYTER_USERS`:
@@ -125,7 +125,7 @@ the shadow password database.
 **Note:** On [Fedora based distributions](https://fedoraproject.org/wiki/List_of_Fedora_remixes) there is no clear way to configure
 the PAM database to allow sufficient access for authenticating with the target user's password
 from JupyterHub. As a workaround we recommend use an
-[alternative authentication method](https://github.com/jupyterhub/jupyterhub/wiki/Authenticators).
+[alternative authentication method](authenticators-reference).

 ```bash
 $ ls -l /etc/shadow
--- a/docs/source/howto/forced-login.md
+++ b/docs/source/howto/forced-login.md
@@ -0,0 +1,130 @@
+# Logging users in via URL
+
+Sometimes, JupyterHub is integrated into an existing application that has already handled user login, etc..
+It is often preferable in these applications to be able to link users to their running JupyterHub server without _prompting_ the user to login again with the Hub when the Hub should really be an implementation detail,
+and not part of the user experience.
+
+One way to do this has been to use [API only mode](#howto:api-only), issue tokens for users, and redirect users to a URL like `/users/name/?token=abc123`.
+This is [disabled by default](#HubAuth.allow_token_in_url) in JupyterHub 5, because it presents a vulnerability for users to craft links that let _other_ users login as them, which can lead to inter-user attacks.
+
+But that leaves the question: how do I as an _application developer_ embedding JupyterHub link users to their own running server without triggering another login prompt?
+
+The problem with `?token=...` in the URL is specifically that _users_ can get and create these tokens, and share URLs.
+This wouldn't be an issue if only authorized applications could issue tokens that behave this way.
+The single-user server doesn't exactly have the hooks to manage this easily, but the [Authenticator](#Authenticator) API does.
+
+## Problem statement
+
+We want our external application to be able to:
+
+1. authenticate users
+2. (maybe) create JupyterHub users
+3. start JupyterHub servers
+4. redirect users into running servers _without_ any login prompts/loading pages from JupyterHub, and without any prior JupyterHub credentials
+
+Step 1 is up to the application and not JupyterHub's problem.
+Step 2 and 3 use the JupyterHub [REST API](#jupyterhub-rest-API).
+The service would need the scopes:
+
+```
+admin:users # creating users
+servers # start/stop servers
+```
+
+That leaves the last step: sending users to their running server with credentials, without prompting login.
+This is where things can get tricky!
+
+### Ideal case: oauth
+
+_Ideally_, the best way to set this up is with the external service as an OAuth provider,
+though in some cases it works best to use proxy-based authentication like Shibboleth / [REMOTE_USER](https://github.com/cwaldbieser/jhub_remote_user_authenticator).
+The main things to know are:
+
+- Links to `/hub/user-redirect/some/path` will ultimately land users at `/users/theirserver/some/path` after completing login, ensuring the server is running, etc.
+- Setting `Authenticator.auto_login = True` allows beginning the login process without JupyterHub's "Login with..." prompt
+
+_If_ your OAuth provider allows logging in to external services via your oauth provider without prompting, this is enough.
+Not all do, though.
+
+If you've already ensured the server is running, this will _appear_ to the user as if they are being sent directly to their running server.
+But what _actually_ happens is quite a series of redirects, state checks, and cookie-setting:
+
+1. visiting `/hub/user-redirect/some/path` checks if the user is logged in
+   1. if not, begin the login process (`/hub/login?next=/hub/user-redirect/...`)
+   2. redirects to your oauth provider to authenticate the user
+   3. redirects back to `/hub/oauth_callback` to complete login
+   4. redirects back to `/hub/user-redirect/...`
+2. once authenticated, checks that the user's server is running
+   1. if not running, begins launch of the server
+   2. redirects to `/hub/spawn-pending/?next=...`
+3. once the server is running, redirects to the actual user server `/users/username/some/path`
+
+Now we're done, right? Actually, no, because the browser doesn't have credentials for their user server!
+This sequence of redirects happens all the time in JupyterHub launch, and is usually totally transparent.
+
+4. at the user server, check for a token in cookie
+   1. if not present or not valid, begin oauth with the Hub (redirect to `/hub/api/oauth2/authorize/...`)
+   2. hub redirects back to `/users/user/oauth_callback` to complete oauth
+   3. redirect again to the URL that started this internal oauth
+5. finally, arrive at `/users/username/some/path`, the ultimate destination, with valid JupyterHub credentials
+
+The steps that will show users something other than the page you want them to are:
+
+- Step 1.1 will be a prompt e.g. with "Login with..." unless you set `c.Authenticator.auto_login = True`
+- Step 1.2 _may_ be a prompt from your oauth provider. This isn't controlled by JupyterHub, and may not be avoidable.
+- Step 2.2 will show the spawn pending page only if the server is not already running
+
+Otherwise, this is all transparent redirects to the final destination.
+
+#### Using an authentication proxy (REMOTE_USER)
+
+If you use an Authentication proxy like Shibboleth that sets e.g. the REMOTE_USER header,
+you can use an Authenticator like [RemoteUserAuthenticator](https://github.com/cwaldbieser/jhub_remote_user_authenticator) to automatically login users based on headers in the request.
+The same process will work, but instead of step 1.1 redirecting to the oauth provider, it logs in immediately.
+If you do support an auth proxy, you also need to be extremely sure that requests only come from the auth proxy, and don't accept any requests setting the REMOTE_USER header coming from other sources.
+
+### Custom case
+
+But let's say you can't use OAuth or REMOTE_USER, and you still want to hide JupyterHub implementation details.
+All you really want is a way to write a URL that will take users to their servers without any login prompts.
+
+You can do this if you create an Authenticator with `auto_login=True` that logs users in based on something in the _request_, e.g. a query parameter.
+
+We have an _example_ in the JupyterHub repo in `examples/forced-login` that does this.
+It is a sample 'external service' where you type in a username and a destination path.
+When you 'login' with this username:
+
+1. a token is issued
+2. the token is stored and associated with the username
+3. redirect to `/hub/login?login_token=...&next=/hub/user-redirect/destination/path`
+
+Then on the JupyterHub side, there is the `ForcedLoginAuthenticator`.
+This class implements `authenticate`, which:
+
+1. has `auto_login = True` so visiting `/hub/login` calls `authenticate()` directly instead of serving a page
+2. gets the token from the `login_token` URL parameter
+3. makes a POST request to the external application with the token, requesting a username
+4. the external application returns the username and deletes the token, so it cannot be re-used
+5. Authenticator returns the username
+
+This doesn't _bypass_ JupyterHub authentication, as some deployments have done, but it does _hide_ it.
+If your service launches servers via the API, you could run this in [API only mode](#howto:api-only) by adding `/hub/login` as well:
+
+```python
+c.JupyterHub.hub_routespec = "/hub/api/"
+c.Proxy.additional_routes = {"/hub/login": "http://hub:8080"}
+```
+
+```{literalinclude} ../../../examples/forced-login/jupyterhub_config.py
+:language: python
+:start-at: class ForcedLoginAuthenticator
+:end-before: c = get_config()
+```
+
+**Why does this work?**
+
+This is still logging in with a token in the URL, right?
+Yes, but the key difference is that users cannot issue these tokens.
+The sample application is still technically vulnerable, because the token link should really be non-transferrable, even if it can only be used once.
+The only defense the sample application has against this is rapidly expiring tokens (they expire after 30 seconds).
+You can use state cookies, etc. to manage that more rigorously, as done in OAuth (at which point, maybe implement OAuth itself, why not?).
--- a/docs/source/howto/index.md
+++ b/docs/source/howto/index.md
@@ -14,7 +14,7 @@ separate-proxy
 templates
 upgrading
 log-messages
-
+forced-login
 ```

 (config-examples)=
--- a/docs/source/howto/log-messages.md
+++ b/docs/source/howto/log-messages.md
@@ -71,4 +71,4 @@ aligned, rather than as an indicator of an existing problem.
 Upgrade the version of the `jupyterhub` package in your user environment or image
 so that it matches the version of JupyterHub running your JupyterHub server! If you
 are using the [zero-to-jupyterhub](https://z2jh.jupyter.org) helm chart, you can find the appropriate
-version of the `jupyterhub` package to install in your user image [here](https://jupyterhub.github.io/helm-chart/)
+version of the `jupyterhub` package to install in your user image [here](https://hub.jupyter.org/helm-chart/)
--- a/docs/source/howto/proxy.md
+++ b/docs/source/howto/proxy.md
@@ -232,4 +232,4 @@ A list of the proxies that are currently available for JupyterHub (that we know

 1. [`jupyterhub/configurable-http-proxy`](https://github.com/jupyterhub/configurable-http-proxy) The default proxy which uses node-http-proxy
 2. [`jupyterhub/traefik-proxy`](https://github.com/jupyterhub/traefik-proxy) The proxy which configures traefik proxy server for jupyterhub
-3. [`AbdealiJK/configurable-http-proxy`](https://github.com/AbdealiJK/configurable-http-proxy) A pure python implementation of the configurable-http-proxy
+3. [`AbdealiJK/configurable-http-proxy`](https://github.com/corridor/configurable-http-proxy) A pure python implementation of the configurable-http-proxy
--- a/docs/source/howto/rest.md
+++ b/docs/source/howto/rest.md
@@ -201,7 +201,7 @@ Authorization header.

 ### Use requests

-Using the popular Python [requests](https://docs.python-requests.org)
+Using the popular Python [requests](https://requests.readthedocs.io)
 library, an API GET request is made to [/users](rest-api-get-users), and the request sends an API token for
 authorization. The response contains information about the users, here's example code to make an API request for the users of a JupyterHub deployment

--- a/docs/source/howto/upgrading.md
+++ b/docs/source/howto/upgrading.md
@@ -27,7 +27,7 @@ For specific version migrations:
 The [changelog](changelog) contains information on what has
 changed with the new JupyterHub release and any deprecation warnings.
 Read these notes to familiarize yourself with the coming changes. There
-might be new releases of the authenticators & spawners you use, so
+might be new releases of the authenticators and spawners you use, so
 read the changelogs for those too!

 ## Notify your users
@@ -41,7 +41,7 @@ If you use a different proxy or run `configurable-http-proxy`
 independent of JupyterHub, your users will be able to continue using notebook
 servers they had already launched, but will not be able to launch new servers or sign in.

-## Backup database & config
+## Backup database and config

 Before doing an upgrade, it is critical to back up:

@@ -90,7 +90,7 @@ with:
 conda install -c conda-forge jupyterhub==<version>
 ```

-You should also check for new releases of the authenticator & spawner you
+You should also check for new releases of the authenticator and spawner you
 are using. You might wish to upgrade those packages, too, along with JupyterHub
 or upgrade them separately.

@@ -107,17 +107,6 @@ jupyterhub upgrade-db
 This should find the location of your database, and run the necessary upgrades
 for it.

-### SQLite database disadvantages
-
-SQLite has some disadvantages when it comes to upgrading JupyterHub. These
-are:
-
- `upgrade-db` may not work, and you may need to delete your database
-  and start with a fresh one.
- `downgrade-db` **will not** work if you want to rollback to an
-  earlier version, so backup the `jupyterhub.sqlite` file before
-  upgrading.
-
 ### What happens if I delete my database?

 Losing the Hub database is often not a big deal. Information that
--- a/docs/source/index.md
+++ b/docs/source/index.md
@@ -17,7 +17,7 @@ It has two main distributions which are developed to serve the needs of each of

 1. [The Littlest JupyterHub](https://github.com/jupyterhub/the-littlest-jupyterhub) distribution is suitable if you need a small number of users (1-100) and a single server with a simple environment.
 2. [Zero to JupyterHub with Kubernetes](https://github.com/jupyterhub/zero-to-jupyterhub-k8s) allows you to deploy dynamic servers on the cloud if you need even more users.
-   This distribution runs JupyterHub on top of [Kubernetes](https://k8s.io).
+   This distribution runs JupyterHub on top of [Kubernetes](https://kubernetes.io/).

 ```{note}
 It is important to evaluate these distributions before you can continue with the
--- a/docs/source/rbac/generate-scope-table.py
+++ b/docs/source/rbac/generate-scope-table.py
@@ -14,26 +14,52 @@ The files are:
       scopes descriptions are updated in it.
 """

-import os
 from collections import defaultdict
 from pathlib import Path
-from subprocess import run

 from pytablewriter import MarkdownTableWriter
 from ruamel.yaml import YAML

+HERE = Path(__file__).parent.absolute()
+DOCS = HERE / ".." / ".."
+REST_API_YAML = DOCS.joinpath("source", "_static", "rest-api.yml")
+SCOPE_TABLE_MD = HERE.joinpath("scope-table.md")
+
+
+def _load_jupyterhub_info():
+    """
+    The equivalent of
+
        from jupyterhub import __version__
        from jupyterhub.scopes import scope_definitions

-HERE = os.path.abspath(os.path.dirname(__file__))
-DOCS = Path(HERE).parent.parent.absolute()
-REST_API_YAML = DOCS.joinpath("source", "_static", "rest-api.yml")
-SCOPE_TABLE_MD = Path(HERE).joinpath("scope-table.md")
+    but without needing to install JupyterHub and dependencies
+    so that we can run this pre-commit
+    """
+    root = HERE / ".." / ".." / ".."
+    g = {}
+    exec((root / "jupyterhub" / "_version.py").read_text(), g)
+
+    # To avoid parsing the whole of scope_definitions.py just pull out
+    # the relevant lines
+    scopes_file = root / "jupyterhub" / "scopes.py"
+    scopes_lines = []
+    for line in scopes_file.read_text().splitlines():
+        if not scopes_lines and line == "scope_definitions = {":
+            scopes_lines.append(line)
+        elif scopes_lines:
+            scopes_lines.append(line)
+            if line == "}":
+                break
+
+    exec("\n".join(scopes_lines), g)
+
+    return g["__version__"], g["scope_definitions"]


 class ScopeTableGenerator:
    def __init__(self):
-        self.scopes = scope_definitions
+        self.version, self.scopes = _load_jupyterhub_info()

    @classmethod
    def create_writer(cls, table_name, headers, values):
@@ -131,7 +157,7 @@ class ScopeTableGenerator:
        with open(filename) as f:
            content = yaml.load(f.read())

-        content["info"]["version"] = __version__
+        content["info"]["version"] = self.version
        for scope in self.scopes:
            description = self.scopes[scope]['description']
            doc_description = self.scopes[scope].get('doc_description', '')
@@ -145,12 +171,6 @@ class ScopeTableGenerator:
        with open(filename, 'w') as f:
            yaml.dump(content, f)

-        run(
-            ['pre-commit', 'run', 'prettier', '--files', filename],
-            cwd=HERE,
-            check=False,
-        )
-

 def main():
    table_generator = ScopeTableGenerator()
--- a/docs/source/rbac/scope-table.md
+++ b/docs/source/rbac/scope-table.md
@@ -0,0 +1,58 @@
+Table 1. Available scopes and their hierarchy
+|                                    Scope                                    |                                                                                         Grants permission to:                                                                                         |
+| --------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `(no_scope)`                                                                | Identify the owner of the requesting entity.                                                                                                                                                          |
+| `self`                                                                      | The user’s own resources _(metascope for users, resolves to (no_scope) for services)_                                                                                                                 |
+| `inherit`                                                                   | Everything that the token-owning entity can access _(metascope for tokens)_                                                                                                                           |
+| `admin-ui`                                                                  | Access the admin page. Permission to take actions via the admin page granted separately.                                                                                                              |
+| `admin:users`                                                               | Read, modify, create, and delete users and their authentication state, not including their servers or tokens. This is an extremely privileged scope and should be considered tantamount to superuser. |
+| &nbsp;&nbsp;&nbsp;`admin:auth_state`                                        | Read a user’s authentication state.                                                                                                                                                                   |
+| &nbsp;&nbsp;&nbsp;`users`                                                   | Read and write permissions to user models (excluding servers, tokens and authentication state).                                                                                                       |
+| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`read:users`                            | Read user models (including the URL of the default server if it is running).                                                                                                                          |
+| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`read:users:name`     | Read names of users.                                                                                                                                                                                  |
+| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`read:users:groups`   | Read users’ group membership.                                                                                                                                                                         |
+| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`read:users:activity` | Read time of last user activity.                                                                                                                                                                      |
+| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`list:users`                            | List users, including at least their names.                                                                                                                                                           |
+| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`read:users:name`     | Read names of users.                                                                                                                                                                                  |
+| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`users:activity`                        | Update time of last user activity.                                                                                                                                                                    |
+| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`read:users:activity` | Read time of last user activity.                                                                                                                                                                      |
+| &nbsp;&nbsp;&nbsp;`read:roles:users`                                        | Read user role assignments.                                                                                                                                                                           |
+| &nbsp;&nbsp;&nbsp;`delete:users`                                            | Delete users.                                                                                                                                                                                         |
+| `read:roles`                                                                | Read role assignments.                                                                                                                                                                                |
+| &nbsp;&nbsp;&nbsp;`read:roles:users`                                        | Read user role assignments.                                                                                                                                                                           |
+| &nbsp;&nbsp;&nbsp;`read:roles:services`                                     | Read service role assignments.                                                                                                                                                                        |
+| &nbsp;&nbsp;&nbsp;`read:roles:groups`                                       | Read group role assignments.                                                                                                                                                                          |
+| `admin:servers`                                                             | Read, start, stop, create and delete user servers and their state.                                                                                                                                    |
+| &nbsp;&nbsp;&nbsp;`admin:server_state`                                      | Read and write users’ server state.                                                                                                                                                                   |
+| &nbsp;&nbsp;&nbsp;`servers`                                                 | Start and stop user servers.                                                                                                                                                                          |
+| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`read:servers`                          | Read users’ names and their server models (excluding the server state).                                                                                                                               |
+| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`read:users:name`     | Read names of users.                                                                                                                                                                                  |
+| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`delete:servers`                        | Stop and delete users' servers.                                                                                                                                                                       |
+| `tokens`                                                                    | Read, write, create and delete user tokens.                                                                                                                                                           |
+| &nbsp;&nbsp;&nbsp;`read:tokens`                                             | Read user tokens.                                                                                                                                                                                     |
+| `admin:groups`                                                              | Read and write group information, create and delete groups.                                                                                                                                           |
+| &nbsp;&nbsp;&nbsp;`groups`                                                  | Read and write group information, including adding/removing any users to/from groups. Note: adding users to groups may affect permissions.                                                            |
+| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`read:groups`                           | Read group models.                                                                                                                                                                                    |
+| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`read:groups:name`    | Read group names.                                                                                                                                                                                     |
+| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`list:groups`                           | List groups, including at least their names.                                                                                                                                                          |
+| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`read:groups:name`    | Read group names.                                                                                                                                                                                     |
+| &nbsp;&nbsp;&nbsp;`read:roles:groups`                                       | Read group role assignments.                                                                                                                                                                          |
+| &nbsp;&nbsp;&nbsp;`delete:groups`                                           | Delete groups.                                                                                                                                                                                        |
+| `admin:services`                                                            | Create, read, update, delete services, not including services defined from config files.                                                                                                              |
+| &nbsp;&nbsp;&nbsp;`list:services`                                           | List services, including at least their names.                                                                                                                                                        |
+| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`read:services:name`                    | Read service names.                                                                                                                                                                                   |
+| &nbsp;&nbsp;&nbsp;`read:services`                                           | Read service models.                                                                                                                                                                                  |
+| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`read:services:name`                    | Read service names.                                                                                                                                                                                   |
+| &nbsp;&nbsp;&nbsp;`read:roles:services`                                     | Read service role assignments.                                                                                                                                                                        |
+| `read:hub`                                                                  | Read detailed information about the Hub.                                                                                                                                                              |
+| `access:services`                                                           | Access services via API or browser.                                                                                                                                                                   |
+| `shares`                                                                    | Manage access to shared servers.                                                                                                                                                                      |
+| &nbsp;&nbsp;&nbsp;`access:servers`                                          | Access user servers via API or browser.                                                                                                                                                               |
+| &nbsp;&nbsp;&nbsp;`read:shares`                                             | Read information about shared access to servers.                                                                                                                                                      |
+| &nbsp;&nbsp;&nbsp;`users:shares`                                            | Read and revoke a user's access to shared servers.                                                                                                                                                    |
+| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`read:users:shares`                     | Read servers shared with a user.                                                                                                                                                                      |
+| &nbsp;&nbsp;&nbsp;`groups:shares`                                           | Read and revoke a group's access to shared servers.                                                                                                                                                   |
+| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`read:groups:shares`                    | Read servers shared with a group.                                                                                                                                                                     |
+| `proxy`                                                                     | Read information about the proxy’s routing table, sync the Hub with the proxy and notify the Hub about a new proxy.                                                                                   |
+| `shutdown`                                                                  | Shutdown the hub.                                                                                                                                                                                     |
+| `read:metrics`                                                              | Read prometheus metrics.                                                                                                                                                                              |
--- a/docs/source/rbac/tech-implementation.md
+++ b/docs/source/rbac/tech-implementation.md
@@ -84,7 +84,6 @@ The passed scopes are compared to the scopes required to access the API as follo
 - if the API scopes are present within the set of passed scopes, the access is granted and the API returns its "full" response

 - if that is not the case, another check is utilized to determine if subscopes of the required API scopes can be found in the passed scope set:
-
  - if found, the RBAC framework employs the {ref}`filtering <vertical-filtering-target>` procedures to refine the API response to access only resource attributes corresponding to the passed scopes. For example, providing a scope `read:users:activity!group=class-C` for the `GET /users` API will return a list of user models from group `class-C` containing only the `last_activity` attribute for each user model

  - if not found, the access to API is denied
--- a/docs/source/reference/api/auth.md
+++ b/docs/source/reference/api/auth.md
@@ -1,33 +1,42 @@
 # Authenticators

-## Module: {mod}`jupyterhub.auth`
-
 ```{eval-rst}
-.. automodule:: jupyterhub.auth
+.. module:: jupyterhub.auth
 ```

-### {class}`Authenticator`
+## {class}`Authenticator`

 ```{eval-rst}
 .. autoconfigurable:: Authenticator
   :members:
 ```

-### {class}`LocalAuthenticator`
+## {class}`LocalAuthenticator`

 ```{eval-rst}
 .. autoconfigurable:: LocalAuthenticator
   :members:
 ```

-### {class}`PAMAuthenticator`
+## {class}`PAMAuthenticator`

 ```{eval-rst}
 .. autoconfigurable:: PAMAuthenticator
 ```

-### {class}`DummyAuthenticator`
+## {class}`DummyAuthenticator`

 ```{eval-rst}
 .. autoconfigurable:: DummyAuthenticator
 ```
+
+```{eval-rst}
+.. module:: jupyterhub.authenticators.shared
+```
+
+## {class}`SharedPasswordAuthenticator`
+
+```{eval-rst}
+.. autoconfigurable:: SharedPasswordAuthenticator
+   :no-inherited-members:
+```
--- a/docs/source/reference/api/spawner.md
+++ b/docs/source/reference/api/spawner.md
@@ -10,7 +10,7 @@

 ```{eval-rst}
 .. autoconfigurable:: Spawner
-   :members: options_from_form, poll, start, stop, get_args, get_env, get_state, template_namespace, format_string, create_certs, move_certs
+   :members: options_from_form, user_options, poll, start, stop, get_args, get_env, get_state, template_namespace, format_string, create_certs, move_certs
 ```

 ### {class}`LocalProcessSpawner`
--- a/docs/source/reference/authenticators.md
+++ b/docs/source/reference/authenticators.md
@@ -36,16 +36,56 @@ A [generic implementation](https://github.com/jupyterhub/oauthenticator/blob/mas

 ## The Dummy Authenticator

-When testing, it may be helpful to use the
-{class}`~.jupyterhub.auth.DummyAuthenticator`. This allows for any username and
-password unless a global password has been set. Once set, any username will
-still be accepted but the correct password will need to be provided.
+When testing, it may be helpful to use the {class}`~.jupyterhub.auth.DummyAuthenticator`:
+
+```python
+c.JupyterHub.authenticator_class = "dummy"
+# always a good idea to limit to localhost when testing with an insecure config
+c.JupyterHub.ip = "127.0.0.1"
+```
+
+This allows for any username and password to login, and is _wildly_ insecure.
+
+To use, specify
+
+```python
+c.JupyterHub.authenticator_class = "dummy"
+```

 :::{versionadded} 5.0
 The DummyAuthenticator's default `allow_all` is True,
 unlike most other Authenticators.
 :::

+:::{deprecated} 5.3
+Setting a password on DummyAuthenticator is deprecated.
+Use the new {class}`~.jupyterhub.authenticators.shared.SharedPasswordAuthenticator`
+if you want to set a shared password for users.
+:::
+
+## Shared Password Authenticator
+
+:::{versionadded} 5.3
+{class}`~.jupyterhub.authenticators.shared.SharedPasswordAuthenticator` is added and [DummyAuthenticator.password](#DummyAuthenticator.password) is deprecated.
+:::
+
+For short-term deployments like workshops where there is no real user data to protect and you trust users to not abuse the system or each other,
+{class}`~.jupyterhub.authenticators.shared.SharedPasswordAuthenticator` can be used.
+
+Set a [user password](#SharedPasswordAuthenticator.user_password) for users to login:
+
+```python
+c.JupyterHub.authenticator_class = "shared-password"
+c.SharedPasswordAuthenticator.user_password = "my-workshop-2042"
+```
+
+You can also grant admin users access by adding them to `admin_users` and setting a separate [admin password](#SharedPasswordAuthenticator.admin_password):
+
+```python
+c.Authenticator.admin_users = {"danger", "eggs"}
+c.SharedPasswordAuthenticator.admin_password = "extra-super-secret-secure-password"
+```
+
 ## Additional Authenticators

 Additional authenticators can be found on GitHub
@@ -469,8 +509,19 @@ which is a list of group names the user should be a member of:
 - If `None` is returned, no changes are made to the user's group membership

 If authenticator-managed groups are enabled,
-all group-management via the API is disabled,
-and roles cannot be specified with `load_groups` traitlet.
+groups cannot be specified with `load_groups` traitlet.
+
+:::{warning}
+When `manage_groups` is True,
+managing groups via the API is still permitted via the `admin:groups` scope (starting with 5.3),
+but any time a user logs in their group membership is completely reset via the login process.
+So it only really makes sense to make manual changes via the API that reflect upstream changes which are not automatically propagated, such as group deletion.
+
+:::
+
+:::{versionchanged} 5.3
+Prior to JupyterHub 5.3, all group management via the API was disabled if `Authenticator.manage_groups` is True.
+:::

 (authenticator-roles)=

--- a/docs/source/reference/changelog.md
+++ b/docs/source/reference/changelog.md
@@ -20,6 +20,166 @@ Contributors to major version bumps in JupyterHub include:

 ## [Unreleased]

+## 5.4
+
+### 5.4.0 - 2025-10-06
+
+JupyterHub 5.4 is a small release with a few new features and several nice bugfixes.
+No special upgrade steps should be required.
+
+([full changelog](https://github.com/jupyterhub/jupyterhub/compare/5.3.0...5.4.0))
+
+#### New features added
+
+- Add Authenticator.refresh_pre_stop option [#5067](https://github.com/jupyterhub/jupyterhub/pull/5067) ([@kreuzert](https://github.com/kreuzert), [@manics](https://github.com/manics), [@minrk](https://github.com/minrk))
+
+#### Enhancements made
+
+- Add confirmation dialog for named server deletion [#5093](https://github.com/jupyterhub/jupyterhub/pull/5093) ([@kateryna-tarelkina-dd](https://github.com/kateryna-tarelkina-dd), [@minrk](https://github.com/minrk))
+
+#### Bugs fixed
+
+- make sure internal ssl works with pycurl [#5164](https://github.com/jupyterhub/jupyterhub/pull/5164) ([@minrk](https://github.com/minrk), [@kreuzert](https://github.com/kreuzert))
+- don't revert asynchttp class when setting up internal ssl [#5159](https://github.com/jupyterhub/jupyterhub/pull/5159) ([@minrk](https://github.com/minrk), [@consideRatio](https://github.com/consideRatio), [@kreuzert](https://github.com/kreuzert))
+- set HTTP status when spawn via GET params fails [#5146](https://github.com/jupyterhub/jupyterhub/pull/5146) ([@agoose77](https://github.com/agoose77), [@manics](https://github.com/manics), [@minrk](https://github.com/minrk))
+- fix: use `contains_eager` instead of O(N²) `joinedload` in `init_spawners` [#5109](https://github.com/jupyterhub/jupyterhub/pull/5109) ([@agoose77](https://github.com/agoose77), [@minrk](https://github.com/minrk), [@yuvipanda](https://github.com/yuvipanda))
+- Fix hub activity log to use spawner.last_activity [#5102](https://github.com/jupyterhub/jupyterhub/pull/5102) ([@joeyutong](https://github.com/joeyutong), [@minrk](https://github.com/minrk))
+- send event if spawn_future was cancelled and spawner not pending [#5091](https://github.com/jupyterhub/jupyterhub/pull/5091) ([@kreuzert](https://github.com/kreuzert), [@manics](https://github.com/manics))
+- Fix internal ssl: do not disable hostname verification by default [#5076](https://github.com/jupyterhub/jupyterhub/pull/5076) ([@grios-stratio](https://github.com/grios-stratio), [@consideRatio](https://github.com/consideRatio), [@minrk](https://github.com/minrk))
+
+#### Maintenance and upkeep improvements
+
+- linkcheck: npmjs 403s from CI [#5162](https://github.com/jupyterhub/jupyterhub/pull/5162) ([@minrk](https://github.com/minrk))
+- unpin pytest-asyncio [#5161](https://github.com/jupyterhub/jupyterhub/pull/5161) ([@minrk](https://github.com/minrk))
+- Upgrade to font-awesome 7 [#5130](https://github.com/jupyterhub/jupyterhub/pull/5130) ([@yuvipanda](https://github.com/yuvipanda), [@minrk](https://github.com/minrk))
+- use browser.wait_for_url instead of expect(browser).to_have_url [#5120](https://github.com/jupyterhub/jupyterhub/pull/5120) ([@minrk](https://github.com/minrk))
+- jsx: add dependabot group for jest, update everything [#5119](https://github.com/jupyterhub/jupyterhub/pull/5119) ([@minrk](https://github.com/minrk))
+- Avoid double `//` in `test_proxy_service` [#5105](https://github.com/jupyterhub/jupyterhub/pull/5105) ([@manics](https://github.com/manics), [@minrk](https://github.com/minrk))
+- pytest-asyncio <1.0.0 [#5094](https://github.com/jupyterhub/jupyterhub/pull/5094) ([@manics](https://github.com/manics), [@minrk](https://github.com/minrk))
+- Switch to rbubley/mirrors-prettier, downgrade prettier to last proper release v3.6.2 [#5092](https://github.com/jupyterhub/jupyterhub/pull/5092) ([@manics](https://github.com/manics), [@minrk](https://github.com/minrk))
+
+#### Documentation improvements
+
+- update quickstart, authenticator doc with 5.0 allow changes [#5140](https://github.com/jupyterhub/jupyterhub/pull/5140) ([@minrk](https://github.com/minrk), [@manics](https://github.com/manics))
+- update the status of access sharing UI [#5137](https://github.com/jupyterhub/jupyterhub/pull/5137) ([@akhmerov](https://github.com/akhmerov), [@krassowski](https://github.com/krassowski), [@minrk](https://github.com/minrk))
+- Add note about Windows Subsystem for Linux [#5129](https://github.com/jupyterhub/jupyterhub/pull/5129) ([@rgaiacs](https://github.com/rgaiacs), [@manics](https://github.com/manics), [@minrk](https://github.com/minrk))
+- Review contributing section from documentation [#5128](https://github.com/jupyterhub/jupyterhub/pull/5128) ([@rgaiacs](https://github.com/rgaiacs), [@yuvipanda](https://github.com/yuvipanda))
+- Remove warnings about sqlite in production [#5124](https://github.com/jupyterhub/jupyterhub/pull/5124) ([@manics](https://github.com/manics), [@consideRatio](https://github.com/consideRatio))
+- allow 6 items in header drop-down [#5123](https://github.com/jupyterhub/jupyterhub/pull/5123) ([@minrk](https://github.com/minrk), [@rgaiacs](https://github.com/rgaiacs))
+- update doc links with permanent redirects [#5118](https://github.com/jupyterhub/jupyterhub/pull/5118) ([@minrk](https://github.com/minrk), [@manics](https://github.com/manics), [@rgaiacs](https://github.com/rgaiacs))
+- Collection of small improvements to contributor documentation [#5116](https://github.com/jupyterhub/jupyterhub/pull/5116) ([@rgaiacs](https://github.com/rgaiacs), [@choldgraf](https://github.com/choldgraf), [@consideRatio](https://github.com/consideRatio))
+- Docs: fix broken linkcheck [#5097](https://github.com/jupyterhub/jupyterhub/pull/5097) ([@manics](https://github.com/manics), [@consideRatio](https://github.com/consideRatio))
+- Replace Gitter with Zulip in Documentation [#5096](https://github.com/jupyterhub/jupyterhub/pull/5096) ([@rgaiacs](https://github.com/rgaiacs), [@manics](https://github.com/manics))
+- update security.md, security doc to point to GitHub vulnerability reporting [#5072](https://github.com/jupyterhub/jupyterhub/pull/5072) ([@minrk](https://github.com/minrk), [@consideRatio](https://github.com/consideRatio), [@mathbunnyru](https://github.com/mathbunnyru))
+- Update docs to point to `/hub/user-redirect/` instead of `/user-redirect/` [#5071](https://github.com/jupyterhub/jupyterhub/pull/5071) ([@agoose77](https://github.com/agoose77), [@consideRatio](https://github.com/consideRatio))
+- Add missing literal to code tags [#5070](https://github.com/jupyterhub/jupyterhub/pull/5070) ([@Paul2708](https://github.com/Paul2708), [@consideRatio](https://github.com/consideRatio))
+- Fix link in changelog [#5069](https://github.com/jupyterhub/jupyterhub/pull/5069) ([@krassowski](https://github.com/krassowski), [@minrk](https://github.com/minrk))
+- Update team compass URL [#5068](https://github.com/jupyterhub/jupyterhub/pull/5068) ([@choldgraf](https://github.com/choldgraf), [@minrk](https://github.com/minrk))
+- Fix incorrect login username in service-fastapi README.md [#5064](https://github.com/jupyterhub/jupyterhub/pull/5064) ([@chilin0525](https://github.com/chilin0525), [@manics](https://github.com/manics))
+- add forced login example [#5056](https://github.com/jupyterhub/jupyterhub/pull/5056) ([@minrk](https://github.com/minrk), [@manics](https://github.com/manics))
+- doc: spawner.delete_forever applies to users and named servers [#5052](https://github.com/jupyterhub/jupyterhub/pull/5052) ([@manics](https://github.com/manics), [@minrk](https://github.com/minrk))
+
+#### Contributors to this release
+
+The following people contributed discussions, new ideas, code and documentation contributions, and review.
+See [our definition of contributors](https://github-activity.readthedocs.io/en/latest/#how-does-this-tool-define-contributions-in-the-reports).
+
+([GitHub contributors page for this release](https://github.com/jupyterhub/jupyterhub/graphs/contributors?from=2025-04-15&to=2025-10-06&type=c))
+
+@abuettner93 ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Aabuettner93+updated%3A2025-04-15..2025-10-06&type=Issues)) | @agoose77 ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Aagoose77+updated%3A2025-04-15..2025-10-06&type=Issues)) | @akhmerov ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Aakhmerov+updated%3A2025-04-15..2025-10-06&type=Issues)) | @chilin0525 ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Achilin0525+updated%3A2025-04-15..2025-10-06&type=Issues)) | @choldgraf ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Acholdgraf+updated%3A2025-04-15..2025-10-06&type=Issues)) | @clhedrick ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Aclhedrick+updated%3A2025-04-15..2025-10-06&type=Issues)) | @consideRatio ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3AconsideRatio+updated%3A2025-04-15..2025-10-06&type=Issues)) | @grios-stratio ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Agrios-stratio+updated%3A2025-04-15..2025-10-06&type=Issues)) | @joeyutong ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Ajoeyutong+updated%3A2025-04-15..2025-10-06&type=Issues)) | @kateryna-tarelkina-dd ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Akateryna-tarelkina-dd+updated%3A2025-04-15..2025-10-06&type=Issues)) | @krassowski ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Akrassowski+updated%3A2025-04-15..2025-10-06&type=Issues)) | @kreuzert ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Akreuzert+updated%3A2025-04-15..2025-10-06&type=Issues)) | @manics ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Amanics+updated%3A2025-04-15..2025-10-06&type=Issues)) | @mathbunnyru ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Amathbunnyru+updated%3A2025-04-15..2025-10-06&type=Issues)) | @minrk ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Aminrk+updated%3A2025-04-15..2025-10-06&type=Issues)) | @Paul2708 ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3APaul2708+updated%3A2025-04-15..2025-10-06&type=Issues)) | @rgaiacs ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Argaiacs+updated%3A2025-04-15..2025-10-06&type=Issues)) | @ryanlovett ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Aryanlovett+updated%3A2025-04-15..2025-10-06&type=Issues)) | @tbizouerne ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Atbizouerne+updated%3A2025-04-15..2025-10-06&type=Issues)) | @yuvipanda ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Ayuvipanda+updated%3A2025-04-15..2025-10-06&type=Issues))
+
+## 5.3
+
+### 5.3.0 - 2025-04-15
+
+5.3.0 is a small release with lots of bugfixes and a few new features, including more configuration options for:
+
+- [User options for Spawners](#spawner_user_options)
+- [Prometheus bucket sizes](#monitoring_bucket_sizes)
+- A new [SharedPasswordAuthenticator](#SharedPasswordAuthenticator)
+
+We have also changed how we build the `jupyterhub` container images.
+Images are now built from [jupyterhub-container-images](https://github.com/jupyterhub/jupyterhub-container-images) instead of the JupyterHub repo.
+The main user-facing implication of this is that image for a given JupyterHub version will be rebuilt,
+which has the following consequences:
+
+1. `quay.io/jupyterhub/jupyterhub:5.3.0` will get security and dependency updates, which has the possibility of breaking things.
+2. Version tags are now also published with a build number that is incremented on each build of a given version.
+   So if you use a tag like `quay.io/jupyterhub/jupyterhub:5.3.0-1`, that image will not get updates.
+3. `jupyterhub-onbuild` images will no longer be published.
+   This image only saved one `COPY` line in your Dockerfile, so is replaced with the base `jupyterhub` image.
+
+([full changelog](https://github.com/jupyterhub/jupyterhub/compare/5.2.1...5.3.0))
+
+#### New features added
+
+- Allow configuration of stop duration metric buckets [#5045](https://github.com/jupyterhub/jupyterhub/pull/5045) ([@srikanthchelluri](https://github.com/srikanthchelluri), [@minrk](https://github.com/minrk))
+- Add SharedPasswordAuthenticator [#5037](https://github.com/jupyterhub/jupyterhub/pull/5037) ([@yuvipanda](https://github.com/yuvipanda), [@minrk](https://github.com/minrk), [@jules32](https://github.com/jules32), [@manics](https://github.com/manics), [@ateucher](https://github.com/ateucher))
+- add apply_user_options hook [#5012](https://github.com/jupyterhub/jupyterhub/pull/5012) ([@minrk](https://github.com/minrk), [@manics](https://github.com/manics), [@akhmerov](https://github.com/akhmerov))
+- allow group management API when managed_groups is True [#5004](https://github.com/jupyterhub/jupyterhub/pull/5004) ([@minrk](https://github.com/minrk), [@manics](https://github.com/manics))
+- Add `$JUPYTERHUB_XSRF_ANONYMOUS_{IP_CIDRS|HEADERS}` config for managing anonymous xsrf ids [#4991](https://github.com/jupyterhub/jupyterhub/pull/4991) ([@minrk](https://github.com/minrk), [@manics](https://github.com/manics), [@samyuh](https://github.com/samyuh))
+- Allow custom login input validation [#4979](https://github.com/jupyterhub/jupyterhub/pull/4979) ([@tlvu](https://github.com/tlvu), [@minrk](https://github.com/minrk))
+- Allow configuration of bucket sizes in metrics - #4833 [#4967](https://github.com/jupyterhub/jupyterhub/pull/4967) ([@kireetb](https://github.com/kireetb), [@minrk](https://github.com/minrk), [@manics](https://github.com/manics))
+
+#### Enhancements made
+
+- improve xsrf errors on login [#5022](https://github.com/jupyterhub/jupyterhub/pull/5022) ([@minrk](https://github.com/minrk), [@consideRatio](https://github.com/consideRatio))
+- More IPv6: Use bare IPv6 for configuration, use `[ipv6]` when displaying IPv6 outputs [#4988](https://github.com/jupyterhub/jupyterhub/pull/4988) ([@manics](https://github.com/manics), [@minrk](https://github.com/minrk))
+- Allow CORS requests to /hub/api by default [#4966](https://github.com/jupyterhub/jupyterhub/pull/4966) ([@agoose77](https://github.com/agoose77), [@minrk](https://github.com/minrk), [@yuvipanda](https://github.com/yuvipanda), [@manics](https://github.com/manics))
+
+#### Bugs fixed
+
+- url_path_join: handle empty trailing components [#5033](https://github.com/jupyterhub/jupyterhub/pull/5033) ([@manics](https://github.com/manics), [@minrk](https://github.com/minrk))
+- Try to improve admin paging consistency [#5025](https://github.com/jupyterhub/jupyterhub/pull/5025) ([@minrk](https://github.com/minrk))
+- make sure custom error messages are shown on regular error pages [#5020](https://github.com/jupyterhub/jupyterhub/pull/5020) ([@minrk](https://github.com/minrk), [@consideRatio](https://github.com/consideRatio))
+- raise spawn error if spawn failed while polling [#5011](https://github.com/jupyterhub/jupyterhub/pull/5011) ([@minrk](https://github.com/minrk))
+- Singleuser: listen on IPv4 and IPv6 if ip=="" [#4986](https://github.com/jupyterhub/jupyterhub/pull/4986) ([@manics](https://github.com/manics), [@minrk](https://github.com/minrk))
+- make insecure-login-warning visible in dark mode [#4982](https://github.com/jupyterhub/jupyterhub/pull/4982) ([@mishaschwartz](https://github.com/mishaschwartz), [@minrk](https://github.com/minrk))
+- Fix bug in `GroupEdit`: Users being reset when clicking the button to edit a group [#4968](https://github.com/jupyterhub/jupyterhub/pull/4968) ([@oboki](https://github.com/oboki), [@minrk](https://github.com/minrk))
+- Fixed code formatting for implicit_spawn_seconds (#4949) [#4950](https://github.com/jupyterhub/jupyterhub/pull/4950) ([@millenniumhand](https://github.com/millenniumhand), [@minrk](https://github.com/minrk), [@consideRatio](https://github.com/consideRatio), [@manics](https://github.com/manics))
+- Stop All: include named servers [#4939](https://github.com/jupyterhub/jupyterhub/pull/4939) ([@manics](https://github.com/manics), [@minrk](https://github.com/minrk))
+
+#### Maintenance and upkeep improvements
+
+- set default permissions on workflows [#5049](https://github.com/jupyterhub/jupyterhub/pull/5049) ([@minrk](https://github.com/minrk))
+- skip js build on readthedocs [#5036](https://github.com/jupyterhub/jupyterhub/pull/5036) ([@minrk](https://github.com/minrk))
+- jsx: update and address eslint [#5030](https://github.com/jupyterhub/jupyterhub/pull/5030) ([@minrk](https://github.com/minrk))
+- stop publishing images from jupyterhub/jupyterhub [#5024](https://github.com/jupyterhub/jupyterhub/pull/5024) ([@minrk](https://github.com/minrk), [@consideRatio](https://github.com/consideRatio), [@manics](https://github.com/manics))
+- try to fix flaky spawn_pending browser test [#5023](https://github.com/jupyterhub/jupyterhub/pull/5023) ([@minrk](https://github.com/minrk))
+- add some debugging output for intermittent share code failure [#5021](https://github.com/jupyterhub/jupyterhub/pull/5021) ([@minrk](https://github.com/minrk))
+- temporarily disable docker build on ci [#5010](https://github.com/jupyterhub/jupyterhub/pull/5010) ([@minrk](https://github.com/minrk), [@consideRatio](https://github.com/consideRatio))
+- MockHub: randomize hub and proxy API ports [#5007](https://github.com/jupyterhub/jupyterhub/pull/5007) ([@manics](https://github.com/manics), [@minrk](https://github.com/minrk))
+- don't install unused browsers for playwright [#4990](https://github.com/jupyterhub/jupyterhub/pull/4990) ([@minrk](https://github.com/minrk), [@consideRatio](https://github.com/consideRatio))
+- close tornado FDs without closing asyncio loop [#4984](https://github.com/jupyterhub/jupyterhub/pull/4984) ([@minrk](https://github.com/minrk))
+- Standard formatting in LICENSE [#4975](https://github.com/jupyterhub/jupyterhub/pull/4975) ([@SamuelMarks](https://github.com/SamuelMarks), [@minrk](https://github.com/minrk), [@manics](https://github.com/manics))
+- Replace react-router-dom@6 with react-router@7 [#4961](https://github.com/jupyterhub/jupyterhub/pull/4961) ([@manics](https://github.com/manics), [@minrk](https://github.com/minrk))
+- Use intersphinx-registry to keep intersphinx URLs up to date. [#4948](https://github.com/jupyterhub/jupyterhub/pull/4948) ([@Carreau](https://github.com/Carreau), [@minrk](https://github.com/minrk), [@manics](https://github.com/manics))
+
+#### Documentation improvements
+
+- Fix outdated GitHub Wiki links in documentation [#5047](https://github.com/jupyterhub/jupyterhub/pull/5047) ([@chilin0525](https://github.com/chilin0525), [@minrk](https://github.com/minrk))
+- Fix broken link to `idleness` section in capacity-planning.md [#5046](https://github.com/jupyterhub/jupyterhub/pull/5046) ([@chilin0525](https://github.com/chilin0525), [@consideRatio](https://github.com/consideRatio))
+- changelog for 5.3.0 (RC) [#5042](https://github.com/jupyterhub/jupyterhub/pull/5042) ([@minrk](https://github.com/minrk), [@consideRatio](https://github.com/consideRatio))
+- Add instruction on how to select dummy authenticator [#5041](https://github.com/jupyterhub/jupyterhub/pull/5041) ([@ktaletsk](https://github.com/ktaletsk), [@GeorgianaElena](https://github.com/GeorgianaElena), [@minrk](https://github.com/minrk))
+- rm outdated claim that "copy shareable link" does not work in JupyterHub [#5018](https://github.com/jupyterhub/jupyterhub/pull/5018) ([@ctcjab](https://github.com/ctcjab), [@manics](https://github.com/manics))
+- Automatically generate rest-api.yml and scopes.md using pre-commit [#5009](https://github.com/jupyterhub/jupyterhub/pull/5009) ([@manics](https://github.com/manics), [@minrk](https://github.com/minrk))
+- doc: read:users only includes server not servers [#5006](https://github.com/jupyterhub/jupyterhub/pull/5006) ([@manics](https://github.com/manics), [@minrk](https://github.com/minrk))
+- make sure 'kind' shows up in rest api [#4995](https://github.com/jupyterhub/jupyterhub/pull/4995) ([@minrk](https://github.com/minrk), [@consideRatio](https://github.com/consideRatio))
+- Missing breaking change in 5.0.0 changelog: URL tokens [#4978](https://github.com/jupyterhub/jupyterhub/pull/4978) ([@manics](https://github.com/manics), [@minrk](https://github.com/minrk))
+- Update `load_groups` config in collaboration-users.md [#4964](https://github.com/jupyterhub/jupyterhub/pull/4964) ([@jrdnbradford](https://github.com/jrdnbradford), [@minrk](https://github.com/minrk), [@manics](https://github.com/manics))
+- Document Spawner.oauth_client_allowed_scopes always allows access [#4955](https://github.com/jupyterhub/jupyterhub/pull/4955) ([@manics](https://github.com/manics), [@minrk](https://github.com/minrk))
+- mention that `auth_refresh_age = 0` disables time-based refresh_user [#4947](https://github.com/jupyterhub/jupyterhub/pull/4947) ([@minrk](https://github.com/minrk), [@consideRatio](https://github.com/consideRatio))
+- add traitlets default import to auth allow_all override example for completeness [#4946](https://github.com/jupyterhub/jupyterhub/pull/4946) ([@kellyrowland](https://github.com/kellyrowland), [@minrk](https://github.com/minrk))
+
+#### Contributors to this release
+
+The following people contributed discussions, new ideas, code and documentation contributions, and review.
+See [our definition of contributors](https://github-activity.readthedocs.io/en/latest/#how-does-this-tool-define-contributions-in-the-reports).
+
+([GitHub contributors page for this release](https://github.com/jupyterhub/jupyterhub/graphs/contributors?from=2024-10-21&to=2025-04-15&type=c))
+
+@adsche ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Aadsche+updated%3A2024-10-21..2025-04-15&type=Issues)) | @agoose77 ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Aagoose77+updated%3A2024-10-21..2025-04-15&type=Issues)) | @akhmerov ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Aakhmerov+updated%3A2024-10-21..2025-04-15&type=Issues)) | @ateucher ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Aateucher+updated%3A2024-10-21..2025-04-15&type=Issues)) | @Carreau ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3ACarreau+updated%3A2024-10-21..2025-04-15&type=Issues)) | @chilin0525 ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Achilin0525+updated%3A2024-10-21..2025-04-15&type=Issues)) | @consideRatio ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3AconsideRatio+updated%3A2024-10-21..2025-04-15&type=Issues)) | @ctcjab ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Actcjab+updated%3A2024-10-21..2025-04-15&type=Issues)) | @davidbrochart ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Adavidbrochart+updated%3A2024-10-21..2025-04-15&type=Issues)) | @GeorgianaElena ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3AGeorgianaElena+updated%3A2024-10-21..2025-04-15&type=Issues)) | @jrdnbradford ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Ajrdnbradford+updated%3A2024-10-21..2025-04-15&type=Issues)) | @jules32 ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Ajules32+updated%3A2024-10-21..2025-04-15&type=Issues)) | @kellyrowland ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Akellyrowland+updated%3A2024-10-21..2025-04-15&type=Issues)) | @kireetb ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Akireetb+updated%3A2024-10-21..2025-04-15&type=Issues)) | @ktaletsk ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Aktaletsk+updated%3A2024-10-21..2025-04-15&type=Issues)) | @manics ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Amanics+updated%3A2024-10-21..2025-04-15&type=Issues)) | @millenniumhand ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Amillenniumhand+updated%3A2024-10-21..2025-04-15&type=Issues)) | @minrk ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Aminrk+updated%3A2024-10-21..2025-04-15&type=Issues)) | @mishaschwartz ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Amishaschwartz+updated%3A2024-10-21..2025-04-15&type=Issues)) | @oboki ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Aoboki+updated%3A2024-10-21..2025-04-15&type=Issues)) | @SamuelMarks ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3ASamuelMarks+updated%3A2024-10-21..2025-04-15&type=Issues)) | @samyuh ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Asamyuh+updated%3A2024-10-21..2025-04-15&type=Issues)) | @srikanthchelluri ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Asrikanthchelluri+updated%3A2024-10-21..2025-04-15&type=Issues)) | @tlvu ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Atlvu+updated%3A2024-10-21..2025-04-15&type=Issues)) | @yuvipanda ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Ayuvipanda+updated%3A2024-10-21..2025-04-15&type=Issues))
+
 ## 5.2

 ### 5.2.1 - 2024-10-21
@@ -168,6 +328,7 @@ Changes that are likely to require effort to upgrade:
 - update bootstrap to v5 [#4774](https://github.com/jupyterhub/jupyterhub/pull/4774) ([@minrk](https://github.com/minrk), [@consideRatio](https://github.com/consideRatio), [@manics](https://github.com/manics))
 - explicitly require groups in auth model when Authenticator.manage_groups is enabled [#4645](https://github.com/jupyterhub/jupyterhub/pull/4645) ([@minrk](https://github.com/minrk), [@consideRatio](https://github.com/consideRatio))
 - add JupyterHub.subdomain_hook [#4471](https://github.com/jupyterhub/jupyterhub/pull/4471) ([@minrk](https://github.com/minrk), [@consideRatio](https://github.com/consideRatio), [@akhmerov](https://github.com/akhmerov))
+- Using a token as a query parameter to start a user session is disabled by default, set `JUPYTERHUB_ALLOW_TOKEN_IN_URL=true` to enable it

 #### New features added

@@ -1738,7 +1899,7 @@ Highlights:
 - More configuration of page templates and service display
 - Pagination of the admin page improving performance with large numbers of users
 - Improved control of user redirect
- Support for [jupyter-server](https://jupyter-server.readthedocs.io/en/latest/)-based single-user servers, such as [Voilà](https://voila-gallery.org) and latest JupyterLab.
+- Support for [jupyter-server](https://jupyter-server.readthedocs.io/en/latest/)-based single-user servers, such as [Voilà](https://voila.readthedocs.io) and latest JupyterLab.
 - Lots more improvements to documentation, HTML pages, and customizations

 ([full changelog](https://github.com/jupyterhub/jupyterhub/compare/1.1.0...1.2.0))
--- a/docs/source/reference/gallery-jhub-deployments.md
+++ b/docs/source/reference/gallery-jhub-deployments.md
@@ -16,17 +16,13 @@ Please submit pull requests to update information or to add new institutions or

 - [BIDS - Berkeley Institute for Data Science](https://bids.berkeley.edu/)

- [Data 8](http://data8.org/)
-
+- [Data 8](https://www.data8.org/)
  - [GitHub organization](https://github.com/data-8)

 - [NERSC](https://www.nersc.gov/)

-  - [Press release on Jupyter and Cori](https://www.nersc.gov/news-publications/nersc-news/nersc-center-news/2016/jupyter-notebooks-will-open-up-new-possibilities-on-nerscs-cori-supercomputer/)
-  - [Moving and sharing data](https://www.nersc.gov/assets/Uploads/03-MovingAndSharingData-Cholia.pdf)
-
 - [Research IT](https://research-it.berkeley.edu)
-  - [JupyterHub server supports campus research computation](https://research-it.berkeley.edu/blog/17/01/24/free-fully-loaded-jupyterhub-server-supports-campus-research-computation)
+  - [JupyterHub server supports campus research computation](https://research-it.berkeley.edu/news/free-fully-loaded-jupyterhub-server-supports-campus-research-computation)

 ### University of California Davis

@@ -86,7 +82,7 @@ Within CERN, there are two noteworthy JupyterHub deployments in operation:

 [ETH Zurich](https://ethz.ch/en.html), (Federal Institute of Technology Zurich), is a public research university in Zürich, Switzerland, with focus on science, technology, engineering, and mathematics, although its 16 departments span a variety of disciplines and subjects.

-The [Educational Development and Technology](https://ethz.ch/en/the-eth-zurich/organisation/departments/educational-development-and-technology.html) unit provides JupyterHub exclusively for teaching and learning, integrated in the learning management system [Moodle](https://ethz.ch/staffnet/en/teaching/academic-support/it-services-teaching/teaching-applications/moodle-service.html). Each course gets its individually configured JupyterHub environment deployed on a on-premise Kubernetes cluster.
+The [Educational Development and Technology](https://ethz.ch/en/the-eth-zurich/organisation/departments/teaching-and-learning.html) unit provides JupyterHub exclusively for teaching and learning, integrated in the learning management system [Moodle](https://ethz.ch/staffnet/en/teaching/academic-support/it-services-teaching/teaching-applications/moodle-service.html). Each course gets its individually configured JupyterHub environment deployed on a on-premise Kubernetes cluster.

 - [ETH JupyterHub](https://ethz.ch/staffnet/en/teaching/academic-support/it-services-teaching/teaching-applications/jupyterhub.html) for teaching and learning

@@ -125,16 +121,15 @@ The [Educational Development and Technology](https://ethz.ch/en/the-eth-zurich/o
 ### Paderborn University

 - [Data Science (DICE) group](https://dice-research.org)
-  - [nbgraderutils](https://github.com/dice-group/nbgraderutils): Use JupyterHub + nbgrader + iJava kernel for online Java exercises. Used in lecture Statistical Natural Language Processing.
+  - [JavaOnlineExercises](https://github.com/dice-group/JavaOnlineExercises): Use JupyterHub + nbgrader + iJava kernel for online Java exercises. Used in lecture Statistical Natural Language Processing.

 ### Penn State University

- [Press release](https://news.psu.edu/story/523093/2018/05/24/new-open-source-web-apps-available-students-and-faculty): "New open-source web apps available for students and faculty"
+- [Press release](https://www.psu.edu/news/academics/story/new-open-source-web-apps-available-students-and-faculty): "New open-source web apps available for students and faculty"

 ### University of California San Diego

 - San Diego Supercomputer Center - Andrea Zonca
-
  - [Deploy JupyterHub on a Supercomputer with SSH](https://zonca.github.io/2017/05/jupyterhub-hpc-batchspawner-ssh.html)
  - [Run Jupyterhub on a Supercomputer](https://zonca.github.io/2015/04/jupyterhub-hpc.html)
  - [Deploy JupyterHub on a VM for a Workshop](https://zonca.github.io/2016/04/jupyterhub-sdsc-cloud.html)
@@ -154,7 +149,7 @@ The [Educational Development and Technology](https://ethz.ch/en/the-eth-zurich/o

 ### Elucidata

- What's new in Jupyter Notebooks @[Elucidata](https://elucidata.io/):
+- What's new in Jupyter Notebooks @[Elucidata](https://www.elucidata.io/):
  - [Using Jupyter Notebooks with Jupyterhub on GCP, managed by GKE](https://medium.com/elucidata/why-you-should-be-using-a-jupyter-notebook-8385a4ccd93d)

 ## Service Providers
@@ -174,7 +169,7 @@ The [Educational Development and Technology](https://ethz.ch/en/the-eth-zurich/o

 ### Microsoft Azure

- [Azure Data Science Virtual Machine release notes](https://docs.microsoft.com/en-us/azure/machine-learning/machine-learning-data-science-linux-dsvm-intro)
+- [Azure Data Science Virtual Machine release notes](https://learn.microsoft.com/en-us/azure/machine-learning/machine-learning-data-science-linux-dsvm-intro)

 ### Rackspace Carina

@@ -202,5 +197,5 @@ The [Educational Development and Technology](https://ethz.ch/en/the-eth-zurich/o
 - https://www.walkingrandomly.com/?p=5734
 - https://wrdrd.com/docs/consulting/education-technology
 - https://bitbucket.org/jackhale/fenics-jupyter
- [LinuxCluster blog](https://linuxcluster.wordpress.com/category/application/jupyterhub/)
+- [LinuxCluster blog](https://thelinuxcluster.com/category/application/jupyterhub/)
 - [Spark Cluster on OpenStack with Multi-User Jupyter Notebook](https://arnesund.com/2015/09/21/spark-cluster-on-openstack-with-multi-user-jupyter-notebook/)
--- a/docs/source/reference/monitoring.md
+++ b/docs/source/reference/monitoring.md
@@ -33,6 +33,23 @@ export JUPYTERHUB_METRICS_PREFIX=jupyterhub_prod

 would result in the metric `jupyterhub_prod_active_users`, etc.

+(monitoring_bucket_sizes)=
+
+## Customizing bucket sizes
+
+As of JupyterHub 5.3, the following environment variables in the Hub's environment can be overridden to support custom bucket sizes - below are the defaults:
+
+| Variable                                           | Default                                                            |
+| -------------------------------------------------- | ------------------------------------------------------------------ |
+| `JUPYTERHUB_SERVER_SPAWN_DURATION_SECONDS_BUCKETS` | `0.5,1,2.5,5,10,15,30,60,120,180,300,600,inf`                      |
+| `JUPYTERHUB_SERVER_STOP_DURATION_SECONDS_BUCKETS`  | `0.005,0.01,0.025,0.05,0.075,0.1,0.25,0.5,0.75,1,2.5,5,7.5,10,inf` |
+
+For example,
+
+```bash
+export JUPYTERHUB_SERVER_SPAWN_DURATION_SECONDS_BUCKETS="1,2,4,6,12,30,60,120,inf"
+```
+
 ## Configuring metrics

 ```{eval-rst}
--- a/docs/source/reference/services.md
+++ b/docs/source/reference/services.md
@@ -563,7 +563,7 @@ and an example of its configuration is found [here](https://github.com/jupyter/n
 nbviewer can also be run as a Hub-Managed Service as described [nbviewer README][nbviewer example]
 section on securing the notebook viewer.

-[requests]: https://docs.python-requests.org/en/master/
+[requests]: https://requests.readthedocs.io
 [services_auth]: ../api/services.auth.html
 [nbviewer example]: https://github.com/jupyter/nbviewer#securing-the-notebook-viewer
 [fastapi example]: https://github.com/jupyterhub/jupyterhub/tree/HEAD/examples/service-fastapi
--- a/docs/source/reference/sharing.md
+++ b/docs/source/reference/sharing.md
@@ -201,13 +201,13 @@ To revoke sharing permissions from the perspective of the user or group being sh
 you need the permissions `users:shares` or `groups:shares` with the appropriate _user_ or _group_ filter.
 This allows users to 'leave' shared servers, without needing permission to manage the server's sharing permissions.

-```
+```{parsed-literal}
 [DELETE /api/users/:username/shared/:ownername/:servername](rest-api-delete-user-shared-server)
 ```

 or

-```
+```{parsed-literal}
 [DELETE /api/groups/:groupname/shared/:ownername/:servername](rest-api-delete-group-shared-server)
 ```

--- a/docs/source/reference/spawners.md
+++ b/docs/source/reference/spawners.md
@@ -2,7 +2,7 @@

 # Spawners

-A [Spawner][] starts each single-user notebook server.
+A [Spawner](#Spawner) starts each single-user notebook server.
 The Spawner represents an abstract interface to a process,
 and a custom Spawner needs to be able to take three actions:

@@ -37,7 +37,7 @@ Some examples include:

 ### Spawner.start

-`Spawner.start` should start a single-user server for a single user.
+[](#Spawner.start) should start a single-user server for a single user.
 Information about the user can be retrieved from `self.user`,
 an object encapsulating the user's name, authentication, and server info.

@@ -68,11 +68,11 @@ async def start(self):
 When `Spawner.start` returns, the single-user server process should actually be running,
 not just requested. JupyterHub can handle `Spawner.start` being very slow
 (such as PBS-style batch queues, or instantiating whole AWS instances)
-via relaxing the `Spawner.start_timeout` config value.
+via relaxing the [](#Spawner.start_timeout) config value.

 #### Note on IPs and ports

-`Spawner.ip` and `Spawner.port` attributes set the _bind_ URL,
+[](#Spawner.ip) and [](#Spawner.port) attributes set the _bind_ URL,
 which the single-user server should listen on
 (passed to the single-user process via the `JUPYTERHUB_SERVICE_URL` environment variable).
 The _return_ value is the IP and port (or full URL) the Hub should _connect to_.
@@ -124,7 +124,7 @@ If both attributes are not present, the Exception will be shown to the user as u

 ### Spawner.poll

-`Spawner.poll` checks if the spawner is still running.
+[](#Spawner.poll) checks if the spawner is still running.
 It should return `None` if it is still running,
 and an integer exit status, otherwise.

@@ -133,7 +133,7 @@ to check if the local process is still running. On Windows, it uses `psutil.pid_

 ### Spawner.stop

-`Spawner.stop` should stop the process. It must be a tornado coroutine, which should return when the process has finished exiting.
+[](#Spawner.stop) should stop the process. It must be a tornado coroutine, which should return when the process has finished exiting.

 ## Spawner state

@@ -166,17 +166,18 @@ def clear_state(self):
    self.pid = 0
 ```

+(spawner_user_options)=
+
 ## Spawner options form

-(new in 0.4)
-
 Some deployments may want to offer options to users to influence how their servers are started.
-This may include cluster-based deployments, where users specify what resources should be available,
-or docker-based deployments where users can select from a list of base images.
+This may include cluster-based deployments, where users specify what memory or cpu resources should be available,
+or container-based deployments where users can select from a list of base images,
+or more complex configurations where users select a "profile" representing a bundle of settings to be applied together.

-This feature is enabled by setting `Spawner.options_form`, which is an HTML form snippet
+This feature is enabled by setting [](#Spawner.options_form), which is an HTML form snippet
 inserted unmodified into the spawn form.
-If the `Spawner.options_form` is defined, when a user tries to start their server, they will be directed to a form page, like this:
+If the `Spawner.options_form` is defined, when a user tries to start their server they will be directed to a form page, like this:

 ![spawn-form](/images/spawn-form.png)

@@ -186,28 +187,40 @@ See [this example](https://github.com/jupyterhub/jupyterhub/blob/HEAD/examples/s

 ### `Spawner.options_from_form`

-Options from this form will always be a dictionary of lists of strings, e.g.:
+Inputs from an HTML form always arrive as a dictionary of lists of strings, e.g.:

 ```python
-{
+formdata = {
  'integer': ['5'],
+  'checkbox': ['on'],
  'text': ['some text'],
  'select': ['a', 'b'],
 }
 ```

-When `formdata` arrives, it is passed through `Spawner.options_from_form(formdata)`,
-which is a method to turn the form data into the correct structure.
-This method must return a dictionary, and is meant to interpret the lists-of-strings into the correct types. For example, the `options_from_form` for the above form would look like:
+When `formdata` arrives, it is passed through [](#Spawner.options_from_form):

 ```python
-def options_from_form(self, formdata):
+spawner.user_options = spawner.options_from_form(formdata, spawner=spawner)
+```
+
+to create `spawner.user_options`.
+
+[](#Spawner.options_from_form) is a configurable function to turn the HTTP form data into the correct structure for [](#Spawner.user_options).
+`options_from_form` must return a dictionary, _may_ be async, and is meant to interpret the lists-of-strings a web form produces into the correct types.
+For example, the `options_from_form` for the above form might look like:
+
+```python
+def options_from_form(formdata, spawner=None):
    options = {}
    options['integer'] = int(formdata['integer'][0]) # single integer value
+    options['checkbox'] = formdata['checkbox'] == ['on']
    options['text'] = formdata['text'][0] # single string value
    options['select'] = formdata['select'] # list already correct
    options['notinform'] = 'extra info' # not in the form at all
    return options
+
+c.Spawner.options_from_form = options_from_form
 ```

 which would return:
@@ -215,15 +228,115 @@ which would return:
 ```python
 {
  'integer': 5,
+  'checkbox': True,
  'text': 'some text',
  'select': ['a', 'b'],
  'notinform': 'extra info',
 }
 ```

-When `Spawner.start` is called, this dictionary is accessible as `self.user_options`.
+### Applying user options

-[spawner]: https://github.com/jupyterhub/jupyterhub/blob/HEAD/jupyterhub/spawner.py
+The base Spawner class doesn't do anything with `user_options`, that is also up to your deployment and/or chosen Spawner.
+This is because the users can specify arbitrary option dictionary by using the API,
+so it is part of your Spawner and/or deployment configuration to expose the options you trust your users to set.
+
+[](#Spawner.apply_user_options) is the hook for taking `user_options` and applying whatever configuration it may represent.
+It is critical that `apply_user_options` validates all input, since these are provided by the user.
+
+```python
+def apply_user_options(spawner, user_options):
+    if "image" in user_options and isinstance(user_options["image"], str):
+        spawner.image = user_options["image"]
+
+c.Spawner.apply_user_options = apply_user_options
+```
+
+:::{versionadded} 5.3
+JupyterHub 5.3 introduces [](#Spawner.apply_user_options) configuration.
+Previously, [](#Spawner.user_options) could only be consumed during [](#Spawner.start),
+at which point `user_options` is available to the Spawner instance as `self.user_options`.
+This approach requires subclassing, so it was not possible to apply new `user_options` via configuration.
+In JupyterHub 5.3, it is possible to fully expose user options,
+and for some simple cases, fully with _declarative_ configuration.
+:::
+
+### Declarative configuration for user options
+
+While [](#Spawner.options_from_form) and [](#Spawner.apply_user_options) are callables by nature,
+some simple cases can be represented by declarative configuration,
+which is most conveniently expressed in e.g. the yaml of the JupyterHub helm chart.
+The cases currently handled are:
+
+```python
+c.Spawner.options_form = """
+<input name="image_input" type="text" value="quay.io/jupyterhub/singleuser:5.2"/>
+<input name="debug_checkbox" type="checkbox" />
+"""
+c.Spawner.options_from_form = "simple"
+c.Spawner.apply_user_options = {"image_input": "image", "debug_checkbox": "debug"}
+```
+
+`options_from_form = "simple"` uses a built-in method to do the very simplest interpretation of an html form,
+casting the lists of strings to single strings by getting the first item when there is only one.
+The only extra processing it performs is casting the checkbox value of `on` to True.
+
+So it turns this formdata:
+
+```python
+{
+  "image_input": ["my_image"],
+  "debug_checkbox": ["on"],
+}
+```
+
+into this `user_options`
+
+```python
+{
+  "image_input": "my_image",
+  "debug_checkbox": True
+}
+```
+
+When `apply_user_options` is a dictionary, any input in `user_options` is looked up in this dictionary,
+and assigned to the corresponding Spawner attribute.
+Strings are passed through traitlets' `from_string` logic (what is used for setting values on the command-line),
+which means you can set numbers and things this way as well,
+even though `options_from_form` leaves these as strings.
+
+So in the above configuration, we have exposed `Spawner.debug` and `Spawner.image` without needing to write any functions.
+In the JupyterHub helm chart YAML, this would look like:
+
+```yaml
+hub:
+  config:
+    KubeSpawner:
+      options_form: |
+        <input name="image_input" type="text" value="quay.io/jupyterhub/singleuser:5.2"/>
+        <input name="debug_checkbox" type="checkbox" />
+      options_from_form: simple
+      apply_user_options:
+        image_input: image
+        debug_checkbox: debug
+```
+
+### Setting `user_options` directly via the REST API
+
+In addition to going through the options form, `user_options` may be set directly, via the REST API.
+The body of a POST request to spawn a server may be a JSON dictionary,
+which will be used to set `user_options` directly.
+When used this way, neither `options_form` nor `options_from_form` are involved,
+`user_options` is set directly, and only `apply_user_options` is called.
+
+```
+POST /hub/api/users/servers/:name
+{
+  "option": 5,
+  "bool": True,
+  "string": "value"
+}
+```

 ## Writing a custom spawner

@@ -354,7 +467,7 @@ spawner, does not support limits and guarantees. One of the spawners
 that supports limits and guarantees is the
 [`systemdspawner`](https://github.com/jupyterhub/systemdspawner).

-### Memory Limits & Guarantees
+### Memory Limits and Guarantees

 `c.Spawner.mem_limit`: A **limit** specifies the _maximum amount of memory_
 that may be allocated, though there is no promise that the maximum amount will
@@ -374,7 +487,7 @@ available for the single-user notebook server to use. The environment variable
 limits and providing these guarantees.** If these values are set to `None`, no
 limits or guarantees are provided, and no environment values are set.

-### CPU Limits & Guarantees
+### CPU Limits and Guarantees

 `c.Spawner.cpu_limit`: In supported spawners, you can set
 `c.Spawner.cpu_limit` to limit the total number of cpu-cores that a
--- a/docs/source/reference/urls.md
+++ b/docs/source/reference/urls.md
@@ -169,27 +169,20 @@ _Version changed: 1.0_
 JupyterHub version 0.9 failed these API requests with status `404`,
 but version 1.0 uses 503.

-## `/user-redirect/...`
+## `/hub/user-redirect/...`

-The `/user-redirect/...` URL is for sharing a URL that will redirect a user
+The `/hub/user-redirect/...` URL is for sharing a URL that will redirect a user
 to a path on their own default server.
 This is useful when different users have the same file at the same URL on their servers,
 and you want a single link to give to any user that will open that file on their server.

-e.g. a link to `/user-redirect/notebooks/Index.ipynb`
+e.g. a link to `/hub/user-redirect/notebooks/Index.ipynb`
 will send user `hortense` to `/user/hortense/notebooks/Index.ipynb`

 **DO NOT** share links to your own server with other users.
 This will not work in general,
 unless you grant those users access to your server.

-**Contributions welcome:** The JupyterLab "shareable link" should share this link
-when run with JupyterHub, but it does not.
-See [jupyterlab-hub](https://github.com/jupyterhub/jupyterlab-hub)
-where this should probably be done and
-[this issue in JupyterLab](https://github.com/jupyterlab/jupyterlab/issues/5388)
-that is intended to make it possible.
-
 ## Spawning

 ### `/hub/spawn[/:username[/:servername]]`
--- a/docs/source/tutorial/collaboration-users.md
+++ b/docs/source/tutorial/collaboration-users.md
@@ -78,7 +78,7 @@ c.JupyterHub.load_roles = []
 c.JupyterHub.load_groups = {
    # collaborative accounts get added to this group
    # so it's easy to see which accounts are collaboration accounts
-    "collaborative": [],
+    "collaborative": {"users": []},
 }
 ```

@@ -102,12 +102,12 @@ for project_name, project in project_config["projects"].items():
    members = project.get("members", [])
    print(f"Adding project {project_name} with members {members}")
    # add them to a group for the project
-    c.JupyterHub.load_groups[project_name] = members
+    c.JupyterHub.load_groups[project_name] = {"users": members}
    # define a new user for the collaboration
    collab_user = f"{project_name}-collab"
    # add the collab user to the 'collaborative' group
    # so we can identify it as a collab account
-    c.JupyterHub.load_groups["collaborative"].append(collab_user)
+    c.JupyterHub.load_groups["collaborative"]["users"].append(collab_user)

    # finally, grant members of the project collaboration group
    # access to the collab user's server,
--- a/docs/source/tutorial/getting-started/authenticators-users-basics.md
+++ b/docs/source/tutorial/getting-started/authenticators-users-basics.md
@@ -2,9 +2,15 @@

 # Authentication and User Basics

-The default Authenticator uses [PAM][] (Pluggable Authentication Module) to authenticate system users with
-their usernames and passwords. With the default Authenticator, any user
-with an account and password on the system will be allowed to login.
+The default Authenticator uses [PAM][] (Pluggable Authentication Module) to authenticate users already defined on the system with their usernames and passwords.
+With the default Authenticator,
+any user with an account and password on the system will be able to login.
+But that does not mean they will be **allowed** to access JupyterHub.
+
+:::{important}
+Only _explicitly allowed_ users can login to JupyterHub
+(a user who can login but is not allowed will see a permission error after successful login).
+:::

 ## Deciding who is allowed

--- a/docs/source/tutorial/quickstart-docker.md
+++ b/docs/source/tutorial/quickstart-docker.md
@@ -46,7 +46,7 @@ If you want to run docker on a computer that has a public IP then you should
 (as in MUST) **secure it with ssl** by adding ssl options to your docker
 configuration or using an ssl enabled proxy.

-[Mounting volumes](https://docs.docker.com/engine/admin/volumes/volumes/)
+[Mounting volumes](https://docs.docker.com/engine/storage/volumes/)
 enables you to persist and store the data generated by the docker container, even when you stop the container.
 The persistent data can be stored on the host system, outside the container.

--- a/docs/source/tutorial/quickstart.md
+++ b/docs/source/tutorial/quickstart.md
@@ -11,7 +11,6 @@ Before installing JupyterHub, you will need:
  installing Python packages is helpful.
 - [Node.js {{node_min}}](https://www.npmjs.com/) or greater, along with npm. [Install Node.js/npm](https://docs.npmjs.com/getting-started/installing-node),
  using your operating system's package manager.
-
  - If you are using **`conda`**, the nodejs and npm dependencies will be installed for
    you by conda.

@@ -72,6 +71,35 @@ jupyterhub -h
 configurable-http-proxy -h
 ```

+## Configuration
+
+At this point, we could start jupyterhub, but nobody would be able to use it!
+Only users who are explicitly **allowed** can use JupyterHub.
+To allow users, we need to create a configuration file.
+JupyterHub uses a configuration file called `jupyterhub_config.py`,
+which is a regular Python script with one function `get_config()` pre-defined, returning the "config object".
+Assigning attributes to this object is how we configure JupyterHub.
+
+At this point, we have two choices:
+
+1. allow any user who can successfully login with our Authenticator (often a good choice for local machines with PAM)
+2. allow one or more users by name.
+
+We'll start with the first one.
+Create the file `jupyerhub_config.py` with the content:
+
+```python
+c = get_config()  # noqa
+c.Authenticator.allow_all = True
+# alternative: c.Authenticator.allowed_users = {"yourusername"}
+```
+
+This configuration means that anyone who can login with PAM (any existing user on the system) should have access to JupyterHub.
+
+:::{seealso}
+[](authenticators)
+:::
+
 ## Start the Hub server

 To start the Hub server, run the command:
@@ -90,6 +118,6 @@ To **allow multiple users to sign in** to the Hub server, you must start
 sudo jupyterhub
 ```

-The [wiki](https://github.com/jupyterhub/jupyterhub/wiki/Using-sudo-to-run-JupyterHub-without-root-privileges)
+[](howto:config:no-sudo)
 describes how to run the server as a _less privileged user_. This requires
 additional configuration of the system.
--- a/docs/source/tutorial/sharing.md
+++ b/docs/source/tutorial/sharing.md
@@ -51,25 +51,31 @@ Any shared permissions previously granted by a user will remain and must be revo
 if desired.
 :::

-### Grant servers permission to share themselves (optional, admin)
+### Grant servers permission to share themselves (admin)

-The most natural place to want to grant access to a server is when viewing that server.
-By default, the tokens used when talking to a server have extremely limited permissions.
-You can grant sharing permissions to servers themselves in one of two ways.
+When you want users to be able to share access while viewing a server, grant the appropriate
+sharing scopes so the server or the browser token can manage sharing. By default, tokens used
+to talk to a server have limited permissions.

-The first is to grant sharing permission to the tokens used by browser requests.
-This is what you would do if you had a JupyterLab extension that presented UI for managing shares
-(this should exist! We haven't made it yet).
-To grant these tokens sharing permissions:
+Granting browser-originating tokens the sharing scopes is the recommended approach when using
+JupyterLab with the `jupyter-collaboration` extension, which provides a UI for managing shares.
+The minimal permissions required to allow browser tokens to request sharing-related scopes are:

 ```python
 c.Spawner.oauth_client_allowed_scopes = ["access:servers!server", "shares!server"]
 ```

 JupyterHub's `user-sharing` example does it this way.
+The `jupyter-collaboration` UI requires additional Hub scopes to share their server with specific users on the Hub:
+
+```python
+c.Spawner.oauth_client_allowed_scopes = [
+  "read:users:name", "shares!user", "list:users", "servers!user"
+]
+```
+
 The nice thing about this approach is that only users who already have those permissions will get a token which can take these actions.
-The downside (in terms of convenience) is that the browser token is only accessible to the javascript (e.g. JupyterLab) and/or jupyter-server request handlers,
-but not notebooks or terminals.
+The downside is that the browser token is only accessible to the javascript (e.g. JupyterLab) and/or jupyter-server request handlers, but not notebooks or terminals.

 The second way, which is less secure, but perhaps more convenient for demonstration purposes,
 is to grant the _server itself_ permission to grant access to itself.
--- a/examples/forced-login/README.md
+++ b/examples/forced-login/README.md
@@ -0,0 +1,51 @@
+# Forced login example
+
+Example for forcing user login via URL without disabling token-in-url protection.
+
+An external application issues tokens associated with usernames.
+A JupyterHub Authenticator only allows login via these tokens in a URL parameter (`/hub/login?login_token=....`),
+which are then exchanged for a username, which is used to login the user.
+
+Each token can be used for login only once, and must be used within 30 seconds of issue.
+
+To run:
+
+in one shell:
+
+```
+python3 external_app.py
+```
+
+in another:
+
+```
+jupyterhub
+```
+
+Then visit http://127.0.0.1:9000
+
+Sometimes, JupyterHub is integrated into an existing application,
+which has already handled login, etc.
+It is often preferable in these applications to be able to link users to their running JupyterHub server without _prompting_ the user for login to the Hub when the Hub should really be an implementation detail.
+
+One way to do this has been to use "API only mode", issue tokens for users, and redirect users to a URL like `/users/name/?token=abc123`.
+This is [disabled by default]() in JupyterHub 5, because it presents a vulnerability for users to craft links that let _other_ users login as them, which can lead to inter-user attacks.
+
+But that leaves the question: how do I as an _application developer_ generate a link that can login a user?
+
+_Ideally_, the best way to set this up is with the external service as an OAuth provider,
+though in some cases it works best to use proxy-based authentication like Shibboleth / [REMOTE_USER]().
+
+If your service is an OAuth provider, sharing links to `/hub/user-redirect/lab/tree/path/to/notebook...` should work just fine.
+JupyterHub will:
+
+1. authenticate the user
+2. redirect to your identity provider via oauth (you can set `Authenticator.auto_login = True` if you want to skip prompting the user)
+3. complete oauth
+4. start their single-user server if it's not running (show the launch progress page while it's waiting)
+5. redirect to their server once it's up
+6. oauth (again), this time between the single-user server and the Hub
+
+If your application chooses to launch the server and wait for it to be ready before redirecting
+
+[API only mode]() is sometimes useful
--- a/examples/forced-login/external_app.py
+++ b/examples/forced-login/external_app.py
@@ -0,0 +1,100 @@
+"""An external app for laucnhing JupyuterHub with specified usernames
+
+This one serves a form with a single username input field
+
+After entering the username, generate a token and redirect to hub login with that token,
+which is then exchanged for a username.
+
+Users cannot login to JupyterHub directly, only via this app.
+"""
+
+import hashlib
+import logging
+import os
+import secrets
+import time
+from pathlib import Path
+from typing import Annotated
+
+from fastapi import Body, FastAPI, Form, status
+from fastapi.responses import HTMLResponse, JSONResponse, RedirectResponse
+from yarl import URL
+
+from jupyterhub.utils import url_path_join
+
+app_dir = Path(__file__).parent.resolve()
+index_html = app_dir / "index.html"
+app = FastAPI()
+
+log = logging.getLogger("uvicorn.error")
+
+_tokens_to_username = {}
+
+jupyterhub_url = URL(os.environ.get("JUPYTERHUB_URL", "http://127.0.0.1:8000/"))
+
+# how many seconds do they have to complete the exchange before the token expires?
+token_lifetime = 30
+
+
+def _hash(token):
+    """Hash a token for storage"""
+    return hashlib.sha256(token.encode("utf8", "replace")).hexdigest()
+
+
+@app.get("/")
+async def get():
+    with index_html.open() as f:
+        return HTMLResponse(f.read())
+
+
+@app.post("/")
+async def launch(username: Annotated[str, Form()], path: Annotated[str, Form()]):
+    """Begin login
+
+    1. issue token for login
+    2. associate token with username
+    3. redirect to /hub/login?login_token=...
+    """
+    token = secrets.token_urlsafe(32)
+    hashed_token = _hash(token)
+    log.info(f"Creating token for {username}, redirecting to {path}")
+    _tokens_to_username[hashed_token] = (username, time.monotonic() + token_lifetime)
+    login_url = (jupyterhub_url / "hub/login").extend_query(
+        login_token=token, next=url_path_join("/hub/user-redirect", path)
+    )
+    log.info(login_url)
+
+    return RedirectResponse(login_url, status_code=status.HTTP_303_SEE_OTHER)
+
+
+@app.post("/login", response_class=JSONResponse)
+async def login(token: Annotated[str, Body(embed=True)]):
+    """
+    Callback to exchange a token for a username
+
+    token is consumed, can only be used once
+    """
+    now = time.monotonic()
+    hashed_token = _hash(token)
+    if hashed_token not in _tokens_to_username:
+        return JSONResponse(
+            status_code=status.HTTP_404_NOT_FOUND, content={"message": "invalid token"}
+        )
+    username, expires_at = _tokens_to_username.pop(hashed_token)
+    if expires_at < now:
+        return JSONResponse(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            content={"message": "token expired"},
+        )
+    return {"name": username}
+
+
+def main():
+    """Launches the application on port 5000 with uvicorn"""
+    import uvicorn
+
+    uvicorn.run(app, port=9000)
+
+
+if __name__ == "__main__":
+    main()
--- a/examples/forced-login/index.html
+++ b/examples/forced-login/index.html
@@ -0,0 +1,22 @@
+<!doctype html>
+<html>
+  <head>
+    <title>External Service Login</title>
+  </head>
+  <body>
+    <h1>Login to JupyterHub</h1>
+    <form action="" method="POST">
+      <label for="username">
+        Username:
+        <input type="text" name="username" autocomplete="off" />
+      </label>
+      <br />
+      <label for="path">
+        Redirect path:
+        <input type="text" name="path" autocomplete="off" value="/lab" />
+      </label>
+      <br />
+      <button>Login</button>
+    </form>
+  </body>
+</html>
--- a/examples/forced-login/jupyterhub_config.py
+++ b/examples/forced-login/jupyterhub_config.py
@@ -0,0 +1,65 @@
+import json
+
+from tornado import web
+from tornado.httpclient import AsyncHTTPClient, HTTPClientError
+from traitlets import Unicode
+
+from jupyterhub.auth import Authenticator
+from jupyterhub.utils import url_path_join
+
+
+class ForcedLoginAuthenticator(Authenticator):
+    """Authenticator to force login with a token provided by an external service
+
+    The external service issues tokens, which are exchanged for a username.
+    Visiting `/hub/login?login_token=...` logs in a user
+    Each token can be used only once.
+    """
+
+    auto_login = True  # begin login without prompt (token is in url)
+    allow_all = True  # external login app controls this
+    token_provider_url = Unicode(
+        config=True, help="""The URL of the token/username provider"""
+    )
+
+    async def authenticate(self, handler, data):
+        token = handler.get_argument("login_token", None)
+        if not token:
+            raise web.HTTPError(
+                400, f"Login with external provider at {self.token_provider_url}"
+            )
+        client = AsyncHTTPClient()
+        try:
+            response = await client.fetch(
+                url_path_join(self.token_provider_url, "/login"),
+                method="POST",
+                headers={"Content-Type": "application/json"},
+                body=json.dumps({"token": token}),
+            )
+        except HTTPClientError as e:
+            self.log.info(
+                "Error exchanging token for username: %s",
+                e.response.body.decode("utf8", "replace"),
+            )
+            if e.code == 404:
+                raise web.HTTPError(
+                    403,
+                    f"Invalid token. Login with external provider at {self.token_provider_url}",
+                )
+            else:
+                raise
+        # pass through the response
+        return json.loads(response.body.decode())
+
+
+c = get_config()  # noqa
+
+# use our Authenticator
+c.JupyterHub.authenticator_class = ForcedLoginAuthenticator
+# tell it where the external launch app is
+c.ForcedLoginAuthenticator.token_provider_url = "http://127.0.0.1:9000/"
+
+
+# local testing config (fake spawner, localhost only)
+c.JupyterHub.ip = "127.0.0.1"
+c.JupyterHub.spawner_class = "simple"
--- a/examples/forced-login/requirements.txt
+++ b/examples/forced-login/requirements.txt
@@ -0,0 +1,3 @@
+fastapi
+jupyterhub
+yarl
--- a/examples/service-fastapi/README.md
+++ b/examples/service-fastapi/README.md
@@ -60,7 +60,7 @@ sudo docker build . -t service-fastapi
 sudo docker run -it -p 8000:8000 service-fastapi
 ```

-2. Visit http://127.0.0.1:8000/services/fastapi/docs. When going through the OAuth flow or getting a token from the control panel, you can log in with `testuser` / `passwd`.
+2. Visit http://127.0.0.1:8000/services/fastapi/docs. When going through the OAuth flow or getting a token from the control panel, you can log in with 'test-user' and any password.

 # PUBLIC_HOST

--- a/jsx/.eslintrc.json
+++ b/jsx/.eslintrc.json
@@ -1,44 +0,0 @@
-{
-  "extends": ["plugin:react/recommended"],
-  "parserOptions": {
-    "ecmaVersion": 2018,
-    "sourceType": "module",
-    "ecmaFeatures": {
-      "jsx": true
-    }
-  },
-  "settings": {
-    "react": {
-      "version": "detect"
-    }
-  },
-  "plugins": ["eslint-plugin-react", "prettier", "unused-imports"],
-  "env": {
-    "es6": true,
-    "browser": true
-  },
-  "rules": {
-    "semi": "off",
-    "quotes": "off",
-    "prettier/prettier": "warn",
-    "no-unused-vars": "off",
-    "unused-imports/no-unused-imports": "error",
-    "unused-imports/no-unused-vars": [
-      "warn",
-      {
-        "vars": "all",
-        "varsIgnorePattern": "^regeneratorRuntime|^_",
-        "args": "after-used",
-        "argsIgnorePattern": "^_"
-      }
-    ]
-  },
-  "overrides": [
-    {
-      "files": ["**/*.test.js", "**/*.test.jsx"],
-      "env": {
-        "jest": true
-      }
-    }
-  ]
-}
--- a/jsx/eslint.config.mjs
+++ b/jsx/eslint.config.mjs
@@ -0,0 +1,77 @@
+import { defineConfig } from "eslint/config";
+import react from "eslint-plugin-react";
+import prettier from "eslint-plugin-prettier";
+import unusedImports from "eslint-plugin-unused-imports";
+import globals from "globals";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import js from "@eslint/js";
+import { FlatCompat } from "@eslint/eslintrc";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+const compat = new FlatCompat({
+  baseDirectory: __dirname,
+  recommendedConfig: js.configs.recommended,
+  allConfig: js.configs.all,
+});
+
+export default defineConfig([
+  {
+    extends: compat.extends("plugin:react/recommended"),
+
+    plugins: {
+      react,
+      prettier,
+      "unused-imports": unusedImports,
+    },
+
+    languageOptions: {
+      globals: {
+        ...globals.browser,
+      },
+
+      ecmaVersion: 2018,
+      sourceType: "module",
+
+      parserOptions: {
+        ecmaFeatures: {
+          jsx: true,
+        },
+      },
+    },
+
+    settings: {
+      react: {
+        version: "detect",
+      },
+    },
+
+    rules: {
+      semi: "off",
+      quotes: "off",
+      "prettier/prettier": "warn",
+      "no-unused-vars": "off",
+      "unused-imports/no-unused-imports": "error",
+
+      "unused-imports/no-unused-vars": [
+        "warn",
+        {
+          vars: "all",
+          varsIgnorePattern: "^regeneratorRuntime|^_",
+          args: "after-used",
+          argsIgnorePattern: "^_",
+        },
+      ],
+    },
+  },
+  {
+    files: ["**/*.test.js", "**/*.test.jsx"],
+
+    languageOptions: {
+      globals: {
+        ...globals.jest,
+      },
+    },
+  },
+]);
--- a/jsx/package-lock.json
+++ b/jsx/package-lock.json
--- a/jsx/package.json
+++ b/jsx/package.json
@@ -29,47 +29,51 @@
      "\\.(jpg|jpeg|png|gif|eot|otf|webp|svg|ttf|woff|woff2|mp4|webm|wav|mp3|m4a|aac|oga)$": "<rootDir>/__mocks__/fileMock.js",
      "\\.(css|less)$": "identity-obj-proxy"
    },
+    "setupFiles": [
+      "./testing/setup.jest.js"
+    ],
    "testEnvironment": "jsdom"
  },
  "dependencies": {
-    "bootstrap": "^5.3.3",
+    "bootstrap": "^5.3.8",
    "history": "^5.3.0",
    "lodash": "^4.17.21",
    "prop-types": "^15.8.1",
-    "react": "^18.3.1",
-    "react-bootstrap": "^2.10.5",
-    "react-dom": "^18.3.1",
-    "react-icons": "^5.3.0",
-    "react-multi-select-component": "^4.3.4",
-    "react-redux": "^9.1.2",
-    "react-router-dom": "^6.26.2",
-    "recompose": "npm:react-recompose@^0.33.0",
+    "react": "^19.1.1",
+    "react-bootstrap": "^2.10.10",
+    "react-dom": "^19.1.1",
+    "react-icons": "^5.5.0",
+    "react-redux": "^9.2.0",
+    "react-router": "^7.9.3",
    "redux": "^5.0.1",
    "regenerator-runtime": "^0.14.1"
  },
  "devDependencies": {
-    "@babel/core": "^7.21.4",
-    "@babel/preset-env": "^7.25.4",
-    "@babel/preset-react": "^7.24.7",
-    "@testing-library/jest-dom": "^6.5.0",
-    "@testing-library/react": "^16.0.1",
-    "@testing-library/user-event": "^14.5.2",
-    "@webpack-cli/serve": "^2.0.1",
-    "babel-jest": "^29.7.0",
-    "babel-loader": "^9.2.1",
+    "@babel/core": "^7.28.3",
+    "@babel/preset-env": "^7.28.3",
+    "@babel/preset-react": "^7.27.1",
+    "@eslint/eslintrc": "^3.3.1",
+    "@eslint/js": "^9.36.0",
+    "@testing-library/jest-dom": "^6.8.0",
+    "@testing-library/react": "^16.3.0",
+    "@testing-library/user-event": "^14.6.1",
+    "@webpack-cli/serve": "^3.0.1",
+    "babel-jest": "^30.2.0",
+    "babel-loader": "^10.0.0",
    "css-loader": "^7.1.2",
-    "eslint": "^9.11.1",
-    "eslint-plugin-prettier": "^5.2.1",
-    "eslint-plugin-react": "^7.37.1",
-    "eslint-plugin-unused-imports": "^4.1.4",
+    "eslint": "^9.36.0",
+    "eslint-plugin-prettier": "^5.5.4",
+    "eslint-plugin-react": "^7.37.5",
+    "eslint-plugin-unused-imports": "^4.2.0",
    "file-loader": "^6.2.0",
+    "globals": "^16.4.0",
    "identity-obj-proxy": "^3.0.0",
-    "jest": "^29.7.0",
-    "jest-environment-jsdom": "^29.7.0",
-    "prettier": "^3.3.3",
+    "jest": "^30.1.2",
+    "jest-environment-jsdom": "^30.2.0",
+    "prettier": "^3.6.2",
    "style-loader": "^4.0.0",
-    "webpack": "^5.95.0",
-    "webpack-cli": "^5.0.1",
-    "webpack-dev-server": "^5.1.0"
+    "webpack": "^5.102.0",
+    "webpack-cli": "^6.0.1",
+    "webpack-dev-server": "^5.2.2"
  }
 }
--- a/jsx/src/App.jsx
+++ b/jsx/src/App.jsx
@@ -2,10 +2,10 @@ import React from "react";
 import { createRoot } from "react-dom/client";
 import { Provider } from "react-redux";
 import { createStore } from "redux";
-import { compose } from "recompose";
+import { compose } from "./util/_recompose";
 import { initialState, reducers } from "./Store";
 import withAPI from "./util/withAPI";
-import { HashRouter, Routes, Route } from "react-router-dom";
+import { HashRouter, Routes, Route } from "react-router";

 import ServerDashboard from "./components/ServerDashboard/ServerDashboard";
 import Groups from "./components/Groups/Groups";
--- a/jsx/src/components/AddUser/AddUser.jsx
+++ b/jsx/src/components/AddUser/AddUser.jsx
@@ -1,6 +1,6 @@
 import React, { useState } from "react";
 import { useDispatch, useSelector } from "react-redux";
-import { Link, useNavigate } from "react-router-dom";
+import { Link, useNavigate } from "react-router";
 import { Button, Col } from "react-bootstrap";
 import PropTypes from "prop-types";
 import ErrorAlert from "../../util/error";
--- a/jsx/src/components/AddUser/AddUser.test.js
+++ b/jsx/src/components/AddUser/AddUser.test.js
@@ -1,10 +1,9 @@
 import React, { act } from "react";
 import "@testing-library/jest-dom";
 import { render, screen, fireEvent } from "@testing-library/react";
-import userEvent from "@testing-library/user-event";
 import { Provider, useDispatch, useSelector } from "react-redux";
 import { createStore } from "redux";
-import { HashRouter } from "react-router-dom";
+import { HashRouter } from "react-router";
 // eslint-disable-next-line
 import regeneratorRuntime from "regenerator-runtime";

--- a/jsx/src/components/CreateGroup/CreateGroup.jsx
+++ b/jsx/src/components/CreateGroup/CreateGroup.jsx
@@ -1,6 +1,6 @@
 import React, { useState } from "react";
 import { useDispatch, useSelector } from "react-redux";
-import { Link, useNavigate } from "react-router-dom";
+import { Link, useNavigate } from "react-router";
 import { Button, Card } from "react-bootstrap";
 import PropTypes from "prop-types";
 import { MainContainer } from "../../util/layout";
--- a/jsx/src/components/CreateGroup/CreateGroup.test.js
+++ b/jsx/src/components/CreateGroup/CreateGroup.test.js
@@ -4,7 +4,7 @@ import { render, screen, fireEvent } from "@testing-library/react";
 import userEvent from "@testing-library/user-event";
 import { Provider, useDispatch, useSelector } from "react-redux";
 import { createStore } from "redux";
-import { HashRouter } from "react-router-dom";
+import { HashRouter } from "react-router";
 // eslint-disable-next-line
 import regeneratorRuntime from "regenerator-runtime";
 import CreateGroup from "./CreateGroup";
--- a/jsx/src/components/EditUser/EditUser.jsx
+++ b/jsx/src/components/EditUser/EditUser.jsx
@@ -1,7 +1,7 @@
 import React, { useEffect, useState } from "react";
 import { useDispatch, useSelector } from "react-redux";
 import PropTypes from "prop-types";
-import { Link, useLocation, useNavigate } from "react-router-dom";
+import { Link, useLocation, useNavigate } from "react-router";
 import { Button, Card } from "react-bootstrap";
 import { MainContainer } from "../../util/layout";

--- a/jsx/src/components/EditUser/EditUser.test.js
+++ b/jsx/src/components/EditUser/EditUser.test.js
@@ -3,7 +3,7 @@ import "@testing-library/jest-dom";
 import { render, screen, fireEvent } from "@testing-library/react";
 import { Provider, useDispatch, useSelector } from "react-redux";
 import { createStore } from "redux";
-import { HashRouter } from "react-router-dom";
+import { HashRouter } from "react-router";
 // eslint-disable-next-line
 import regeneratorRuntime from "regenerator-runtime";

@@ -15,8 +15,8 @@ jest.mock("react-redux", () => ({
  useSelector: jest.fn(),
 }));

-jest.mock("react-router-dom", () => ({
-  ...jest.requireActual("react-router-dom"),
+jest.mock("react-router", () => ({
+  ...jest.requireActual("react-router"),
  useLocation: jest.fn().mockImplementation(() => {
    return { state: { username: "foo", has_admin: false } };
  }),
--- a/jsx/src/components/GroupEdit/GroupEdit.jsx
+++ b/jsx/src/components/GroupEdit/GroupEdit.jsx
@@ -1,6 +1,6 @@
 import React, { useEffect, useState } from "react";
 import { useSelector, useDispatch } from "react-redux";
-import { Link, useNavigate, useLocation } from "react-router-dom";
+import { Link, useNavigate, useLocation } from "react-router";
 import PropTypes from "prop-types";
 import { Button, Card } from "react-bootstrap";
 import GroupSelect from "../GroupSelect/GroupSelect";
@@ -42,6 +42,10 @@ const GroupEdit = (props) => {
    }
  }, [location]);

+  useEffect(() => {
+    setSelected(group_data.users);
+  }, []);
+
  const { group_data } = location.state || {};
  if (!group_data) return <div></div>;
  const [propobject, setProp] = useState(group_data.properties);
@@ -175,6 +179,7 @@ GroupEdit.propTypes = {
  removeFromGroup: PropTypes.func,
  deleteGroup: PropTypes.func,
  updateGroups: PropTypes.func,
+  updateProp: PropTypes.func,
  validateUser: PropTypes.func,
 };

--- a/jsx/src/components/GroupEdit/GroupEdit.test.jsx
+++ b/jsx/src/components/GroupEdit/GroupEdit.test.jsx
@@ -4,7 +4,7 @@ import { render, screen, fireEvent } from "@testing-library/react";
 import userEvent from "@testing-library/user-event";
 import { Provider, useSelector } from "react-redux";
 import { createStore } from "redux";
-import { HashRouter } from "react-router-dom";
+import { HashRouter } from "react-router";
 // eslint-disable-next-line
 import regeneratorRuntime from "regenerator-runtime";

@@ -15,8 +15,8 @@ jest.mock("react-redux", () => ({
  useSelector: jest.fn(),
 }));

-jest.mock("react-router-dom", () => ({
-  ...jest.requireActual("react-router-dom"),
+jest.mock("react-router", () => ({
+  ...jest.requireActual("react-router"),
  useLocation: jest.fn().mockImplementation(() => {
    return { state: { group_data: { users: ["foo"], name: "group" } } };
  }),
--- a/jsx/src/components/Groups/Groups.jsx
+++ b/jsx/src/components/Groups/Groups.jsx
@@ -3,7 +3,7 @@ import { useSelector, useDispatch } from "react-redux";
 import PropTypes from "prop-types";

 import { Button, Card } from "react-bootstrap";
-import { Link, useNavigate } from "react-router-dom";
+import { Link, useNavigate } from "react-router";
 import { usePaginationParams } from "../../util/paginationParams";
 import PaginationFooter from "../PaginationFooter/PaginationFooter";
 import { MainContainer } from "../../util/layout";
@@ -14,14 +14,13 @@ const Groups = (props) => {
  const dispatch = useDispatch();
  const navigate = useNavigate();

-  const { offset, handleLimit, limit, setPagination } = usePaginationParams();
+  const { offset, setOffset, handleLimit, limit } = usePaginationParams();

  const total = groups_page ? groups_page.total : undefined;

  const { updateGroups } = props;

  const dispatchPageUpdate = (data, page) => {
-    setPagination(page);
    dispatch({
      type: "GROUPS_PAGE",
      value: {
@@ -32,21 +31,39 @@ const Groups = (props) => {
  };

  // single callback to reload the page
-  // uses current state, or params can be specified if state
-  // should be updated _after_ load, e.g. offset
+  // uses current state
  const loadPageData = (params) => {
-    params = params || {};
-    return updateGroups(
-      params.offset === undefined ? offset : params.offset,
-      params.limit === undefined ? limit : params.limit,
-    )
-      .then((data) => dispatchPageUpdate(data.items, data._pagination))
-      .catch((err) => setErrorAlert("Failed to update group list."));
+    const abortHandle = { cancelled: false };
+    (async () => {
+      try {
+        const data = await updateGroups(offset, limit);
+        // cancelled (e.g. param changed while waiting for response)
+        if (abortHandle.cancelled) return;
+        if (
+          data._pagination.offset &&
+          data._pagination.total <= data._pagination.offset
+        ) {
+          // reset offset if we're out of bounds,
+          // then load again
+          setOffset(0);
+          return;
+        }
+        // actually update page data
+        dispatchPageUpdate(data.items, data._pagination);
+      } catch (e) {
+        console.error("Failed to update group list.", e);
+      }
+    })();
+    // returns cancellation callback
+    return () => {
+      // cancel stale load
+      abortHandle.cancelled = true;
+    };
  };

  useEffect(() => {
-    loadPageData();
-  }, [limit]);
+    return loadPageData();
+  }, [limit, offset]);

  if (!groups_data || !groups_page) {
    return <div data-testid="no-show"></div>;
@@ -78,13 +95,15 @@ const Groups = (props) => {
            )}
          </ul>
          <PaginationFooter
-            offset={offset}
+            offset={groups_page.offset}
            limit={limit}
            visible={groups_data.length}
            total={total}
-            next={() => loadPageData({ offset: offset + limit })}
+            next={() => setOffset(groups_page.offset + limit)}
            prev={() =>
-              loadPageData({ offset: limit > offset ? 0 : offset - limit })
+              setOffset(
+                limit > groups_page.offset ? 0 : groups_page.offset - limit,
+              )
            }
            handleLimit={handleLimit}
          />
--- a/jsx/src/components/Groups/Groups.test.js
+++ b/jsx/src/components/Groups/Groups.test.js
@@ -3,7 +3,7 @@ import "@testing-library/jest-dom";
 import { render, screen, fireEvent } from "@testing-library/react";
 import { Provider, useSelector } from "react-redux";
 import { createStore } from "redux";
-import { HashRouter, useSearchParams } from "react-router-dom";
+import { HashRouter, useSearchParams } from "react-router";
 // eslint-disable-next-line
 import regeneratorRuntime from "regenerator-runtime";

@@ -15,8 +15,8 @@ jest.mock("react-redux", () => ({
  useSelector: jest.fn(),
 }));

-jest.mock("react-router-dom", () => ({
-  ...jest.requireActual("react-router-dom"),
+jest.mock("react-router", () => ({
+  ...jest.requireActual("react-router"),
  useSearchParams: jest.fn(),
 }));

@@ -57,13 +57,34 @@ var mockAppState = () =>
    },
  });

+var mockUpdateGroups = () => {
+  const state = mockAppState();
+  return jest.fn().mockImplementation((offset, limit) =>
+    Promise.resolve({
+      items: state.groups_data.slice(0, limit),
+      _pagination: {
+        offset: offset,
+        limit: limit || 2,
+        total: state.groups_page.total,
+      },
+    }),
+  );
+};
+
+let searchParams = new URLSearchParams();
+
 beforeEach(() => {
  useSelector.mockImplementation((callback) => {
    return callback(mockAppState());
  });
-  useSearchParams.mockImplementation(() => {
-    return [new URLSearchParams(), jest.fn()];
-  });
+  searchParams = new URLSearchParams();
+  searchParams.set("limit", "2");
+  useSearchParams.mockImplementation(() => [
+    searchParams,
+    (callback) => {
+      searchParams = callback(searchParams);
+    },
+  ]);
 });

 afterEach(() => {
@@ -74,7 +95,7 @@ afterEach(() => {
 });

 test("Renders", async () => {
-  let callbackSpy = mockAsync();
+  let callbackSpy = mockUpdateGroups();

  await act(async () => {
    render(groupsJsx(callbackSpy));
@@ -84,7 +105,7 @@ test("Renders", async () => {
 });

 test("Renders groups_data prop into links", async () => {
-  let callbackSpy = mockAsync();
+  let callbackSpy = mockUpdateGroups();

  await act(async () => {
    render(groupsJsx(callbackSpy));
@@ -102,7 +123,7 @@ test("Renders nothing if required data is not available", async () => {
    return callback({});
  });

-  let callbackSpy = mockAsync();
+  let callbackSpy = mockUpdateGroups();

  await act(async () => {
    render(groupsJsx(callbackSpy));
@@ -113,34 +134,24 @@ test("Renders nothing if required data is not available", async () => {
 });

 test("Interacting with PaginationFooter causes page refresh", async () => {
-  let updateGroupsSpy = mockAsync();
-  let setSearchParamsSpy = mockAsync();
-  let searchParams = new URLSearchParams({ limit: "2" });
-  useSearchParams.mockImplementation(() => [
-    searchParams,
-    (callback) => {
-      searchParams = callback(searchParams);
-      setSearchParamsSpy(searchParams.toString());
-    },
-  ]);
-  let _, setSearchParams;
+  let updateGroupsSpy = mockUpdateGroups();
  await act(async () => {
    render(groupsJsx(updateGroupsSpy));
-    [_, setSearchParams] = useSearchParams();
  });

-  expect(updateGroupsSpy).toBeCalledWith(0, 2);
+  expect(updateGroupsSpy).toHaveBeenCalledWith(0, 2);

  var lastState =
    mockReducers.mock.results[mockReducers.mock.results.length - 1].value;
  expect(lastState.groups_page.offset).toEqual(0);
  expect(lastState.groups_page.limit).toEqual(2);
+  expect(searchParams.get("offset")).toEqual(null);

  let next = screen.getByTestId("paginate-next");
  await act(async () => {
    await fireEvent.click(next);
  });
-  expect(updateGroupsSpy).toBeCalledWith(2, 2);
-  // mocked updateGroups means callback after load doesn't fire
-  // expect(setSearchParamsSpy).toBeCalledWith("limit=2&offset=2");
+  expect(searchParams.get("offset")).toEqual("2");
+  // FIXME: useSelector mocks prevent updateGroups from being called
+  // expect(updateGroupsSpy).toHaveBeenCalledWith(2, 2);
 });
--- a/jsx/src/components/ServerDashboard/ServerDashboard.jsx
+++ b/jsx/src/components/ServerDashboard/ServerDashboard.jsx
@@ -3,6 +3,7 @@ import { useSelector, useDispatch } from "react-redux";
 import { debounce } from "lodash";
 import PropTypes from "prop-types";
 import ErrorAlert from "../../util/error";
+import { User, Server } from "../../util/jhapiUtil";

 import {
  Button,
@@ -16,7 +17,7 @@ import {
 } from "react-bootstrap";
 import ReactObjectTableViewer from "../ReactObjectTableViewer/ReactObjectTableViewer";

-import { Link, useSearchParams, useNavigate } from "react-router-dom";
+import { Link, useSearchParams, useNavigate } from "react-router";
 import { FaSort, FaSortUp, FaSortDown } from "react-icons/fa";

 import "./server-dashboard.css";
@@ -41,7 +42,7 @@ const ServerDashboard = (props) => {
  let user_data = useSelector((state) => state.user_data);
  const user_page = useSelector((state) => state.user_page);

-  const { offset, setLimit, handleLimit, limit, setPagination } =
+  const { offset, setOffset, setLimit, handleLimit, limit } =
    usePaginationParams();

  const name_filter = searchParams.get("name_filter") || "";
@@ -64,12 +65,6 @@ const ServerDashboard = (props) => {
  } = props;

  const dispatchPageUpdate = (data, page) => {
-    // trigger page update in state
-    // in response to fetching updated user list
-    // data is list of user records
-    // page is _pagination part of response
-    // persist page info in url query
-    setPagination(page);
    // persist user data, triggers rerender
    dispatch({
      type: "USER_PAGE",
@@ -127,35 +122,47 @@ const ServerDashboard = (props) => {
    });
  };

-  // the callback to update the displayed user list
-  const updateUsersWithParams = (params) => {
-    if (params) {
-      if (params.offset !== undefined && params.offset < 0) {
-        params.offset = 0;
-      }
-    }
-    return updateUsers({
-      offset: offset,
+  // single callback to reload the page
+  // uses current state
+  const loadPageData = () => {
+    const abortHandle = { cancelled: false };
+    (async () => {
+      try {
+        const data = await updateUsers({
+          offset,
          limit,
          name_filter,
          sort,
          state: state_filter,
-      ...params,
        });
+        // cancelled (e.g. param changed while waiting for response)
+        if (abortHandle.cancelled) return;
+        if (
+          data._pagination.offset &&
+          data._pagination.total <= data._pagination.offset
+        ) {
+          // reset offset if we're out of bounds,
+          // then load again
+          setOffset(0);
+          return;
+        }
+        // actually update page data
+        dispatchPageUpdate(data.items, data._pagination);
+      } catch (e) {
+        console.error("Failed to update user list.", e);
+        setErrorAlert("Failed to update user list.");
+      }
+    })();
+    // returns cancellation callback
+    return () => {
+      // cancel stale load
+      abortHandle.cancelled = true;
    };
-
-  // single callback to reload the page
-  // uses current state, or params can be specified if state
-  // should be updated _after_ load, e.g. offset
-  const loadPageData = (params) => {
-    return updateUsersWithParams(params)
-      .then((data) => dispatchPageUpdate(data.items, data._pagination))
-      .catch((err) => setErrorAlert("Failed to update user list."));
  };

  useEffect(() => {
-    loadPageData();
-  }, [limit, name_filter, sort, state_filter]);
+    return loadPageData();
+  }, [limit, name_filter, offset, sort, state_filter]);

  if (!user_data || !user_page) {
    return <div data-testid="no-show"></div>;
@@ -203,6 +210,15 @@ const ServerDashboard = (props) => {
    );
  };

+  ServerButton.propTypes = {
+    server: Server,
+    user: User,
+    action: PropTypes.string,
+    name: PropTypes.string,
+    variant: PropTypes.string,
+    extraClass: PropTypes.string,
+  };
+
  const StopServerButton = ({ server, user }) => {
    if (!server.ready) {
      return null;
@@ -216,6 +232,12 @@ const ServerDashboard = (props) => {
      extraClass: "stop-button",
    });
  };
+
+  StopServerButton.propTypes = {
+    server: Server,
+    user: User,
+  };
+
  const DeleteServerButton = ({ server, user }) => {
    if (!server.name) {
      // It's not possible to delete unnamed servers
@@ -234,6 +256,11 @@ const ServerDashboard = (props) => {
    });
  };

+  DeleteServerButton.propTypes = {
+    server: Server,
+    user: User,
+  };
+
  const StartServerButton = ({ server, user }) => {
    if (server.ready) {
      return null;
@@ -248,6 +275,11 @@ const ServerDashboard = (props) => {
    });
  };

+  StartServerButton.propTypes = {
+    server: Server,
+    user: User,
+  };
+
  const SpawnPageButton = ({ server, user }) => {
    if (server.ready) {
      return null;
@@ -265,6 +297,11 @@ const ServerDashboard = (props) => {
    );
  };

+  SpawnPageButton.propTypes = {
+    server: Server,
+    user: User,
+  };
+
  const AccessServerButton = ({ server }) => {
    if (!server.ready) {
      return null;
@@ -277,6 +314,9 @@ const ServerDashboard = (props) => {
      </a>
    );
  };
+  AccessServerButton.propTypes = {
+    server: Server,
+  };

  const EditUserButton = ({ user }) => {
    return (
@@ -297,10 +337,17 @@ const ServerDashboard = (props) => {
    );
  };

-  const ServerRowTable = ({ data }) => {
+  EditUserButton.propTypes = {
+    user: User,
+  };
+
+  const ServerRowTable = ({ data, exclude }) => {
    const sortedData = Object.keys(data)
      .sort()
      .reduce(function (result, key) {
+        if (exclude && exclude.includes(key)) {
+          return result;
+        }
        let value = data[key];
        switch (key) {
          case "last_activity":
@@ -340,12 +387,17 @@ const ServerDashboard = (props) => {
    );
  };

-  const serverRow = (user, server) => {
-    const { servers, ...userNoServers } = user;
+  ServerRowTable.propTypes = {
+    data: Server,
+    exclude: PropTypes.arrayOf(PropTypes.string),
+  };
+
+  const ServerRow = ({ user, server }) => {
    const serverNameDash = server.name ? `-${server.name}` : "";
    const userServerName = user.name + serverNameDash;
    const open = collapseStates[userServerName] || false;
-    return [
+    return (
+      <Fragment key={`${userServerName}-row`}>
        <tr
          key={`${userServerName}-row`}
          data-testid={`user-row-${userServerName}`}
@@ -389,7 +441,7 @@ const ServerDashboard = (props) => {
            <SpawnPageButton server={server} user={user} />
            <EditUserButton user={user} />
          </td>
-      </tr>,
+        </tr>
        <tr key={`${userServerName}-detail`}>
          <td
            colSpan={6}
@@ -403,7 +455,7 @@ const ServerDashboard = (props) => {
              >
                <Card style={{ width: "100%", padding: 3, margin: "0 auto" }}>
                  <Card.Title>User</Card.Title>
-                <ServerRowTable data={userNoServers} />
+                  <ServerRowTable data={user} exclude={["server", "servers"]} />
                </Card>
                <Card style={{ width: "100%", padding: 3, margin: "0 auto" }}>
                  <Card.Title>Server</Card.Title>
@@ -412,16 +464,24 @@ const ServerDashboard = (props) => {
              </CardGroup>
            </Collapse>
          </td>
-      </tr>,
-    ];
+        </tr>
+      </Fragment>
+    );
  };

-  let servers = user_data.flatMap((user) => {
-    let userServers = Object.values({
+  ServerRow.propTypes = {
+    user: User,
+    server: Server,
+  };
+
+  const serverRows = user_data.flatMap((user) => {
+    const userServers = Object.values({
+      // eslint-disable-next-line react/prop-types
      "": user.server || {},
+      // eslint-disable-next-line react/prop-types
      ...(user.servers || {}),
    });
-    return userServers.map((server) => [user, server]);
+    return userServers.map((server) => ServerRow({ user, server }));
  });

  return (
@@ -508,7 +568,7 @@ const ServerDashboard = (props) => {
                  variant="primary"
                  className="start-all"
                  data-testid="start-all"
-                  title="start all servers on the current page"
+                  title="Start all default servers on the current page"
                  onClick={() => {
                    Promise.all(startAll(user_data.map((e) => e.name)))
                      .then((res) => {
@@ -539,11 +599,12 @@ const ServerDashboard = (props) => {
                  variant="danger"
                  className="stop-all"
                  data-testid="stop-all"
-                  title="stop all servers on the current page"
+                  title="Stop all servers including named servers on the current page"
                  onClick={() => {
                    Promise.all(stopAll(user_data.map((e) => e.name)))
                      .then((res) => {
-                        let failedServers = res.filter((e) => !e.ok);
+                        // Array of arrays of servers for each user
+                        let failedServers = res.flat().filter((e) => !e.ok);
                        if (failedServers.length > 0) {
                          setErrorAlert(
                            `Failed to stop ${failedServers.length} ${
@@ -576,20 +637,20 @@ const ServerDashboard = (props) => {
                </Button>
              </td>
            </tr>
-            {servers.flatMap(([user, server]) => serverRow(user, server))}
+            {serverRows}
          </tbody>
        </table>
        <PaginationFooter
-          offset={offset}
+          // use user_page for display, which is what's on the page
+          // setOffset immediately updates url state and _requests_ an update
+          // but takes finite time before user_page is updated
+          offset={user_page.offset}
          limit={limit}
          visible={user_data.length}
          total={total}
-          // don't trigger via setOffset state change,
-          // which can cause infinite cycles.
-          // offset state will be set upon reply via setPagination
-          next={() => loadPageData({ offset: offset + limit })}
+          next={() => setOffset(user_page.offset + limit)}
          prev={() =>
-            loadPageData({ offset: limit > offset ? 0 : offset - limit })
+            setOffset(limit > user_page.offset ? 0 : user_page.offset - limit)
          }
          handleLimit={handleLimit}
        />
@@ -600,7 +661,7 @@ const ServerDashboard = (props) => {
 };

 ServerDashboard.propTypes = {
-  user_data: PropTypes.array,
+  user_data: PropTypes.arrayOf(User),
  updateUsers: PropTypes.func,
  shutdownHub: PropTypes.func,
  startServer: PropTypes.func,
--- a/jsx/src/components/ServerDashboard/ServerDashboard.test.js
+++ b/jsx/src/components/ServerDashboard/ServerDashboard.test.js
@@ -1,5 +1,5 @@
 import React, { act } from "react";
-import { withProps } from "recompose";
+import { withProps } from "../../util/_recompose";
 import "@testing-library/jest-dom";
 import userEvent from "@testing-library/user-event";
 import {
@@ -9,8 +9,7 @@ import {
  getByText,
  getAllByRole,
 } from "@testing-library/react";
-import { HashRouter, Routes, Route, useSearchParams } from "react-router-dom";
-// import { CompatRouter,  } from "react-router-dom-v5-compat";
+import { HashRouter, Routes, Route, useSearchParams } from "react-router";
 import { Provider, useSelector } from "react-redux";
 import { createStore } from "redux";
 // eslint-disable-next-line
@@ -23,8 +22,8 @@ jest.mock("react-redux", () => ({
  ...jest.requireActual("react-redux"),
  useSelector: jest.fn(),
 }));
-jest.mock("react-router-dom", () => ({
-  ...jest.requireActual("react-router-dom"),
+jest.mock("react-router", () => ({
+  ...jest.requireActual("react-router"),
  useSearchParams: jest.fn(),
 }));

@@ -592,14 +591,14 @@ test("Search for user calls updateUsers with name filter", async () => {
  expect(searchParams.get("offset")).toEqual(null);
  // FIXME: useSelector mocks prevent updateUsers from being called
  // expect(mockUpdateUsers.mock.calls).toHaveLength(2);
-  // expect(mockUpdateUsers).toBeCalledWith(0, 100, "a");
+  // expect(mockUpdateUsers).toHaveBeenCalledWith(0, 100, "a");
  await user.type(search, "b");
  expect(search.value).toEqual("ab");
  await act(async () => {
    jest.runAllTimers();
  });
  expect(searchParams.get("name_filter")).toEqual("ab");
-  // expect(mockUpdateUsers).toBeCalledWith(0, 100, "ab");
+  // expect(mockUpdateUsers).toHaveBeenCalledWith(0, 100, "ab");
 });

 test("Interacting with PaginationFooter requests page update", async () => {
@@ -607,7 +606,7 @@ test("Interacting with PaginationFooter requests page update", async () => {
    render(serverDashboardJsx());
  });

-  expect(mockUpdateUsers).toBeCalledWith(defaultUpdateUsersParams);
+  expect(mockUpdateUsers).toHaveBeenCalledWith(defaultUpdateUsersParams);

  var n = 3;
  expect(searchParams.get("offset")).toEqual(null);
@@ -618,11 +617,12 @@ test("Interacting with PaginationFooter requests page update", async () => {
    fireEvent.click(next);
    jest.runAllTimers();
  });
-
-  expect(mockUpdateUsers).toBeCalledWith({
-    ...defaultUpdateUsersParams,
-    offset: 2,
-  });
+  expect(searchParams.get("offset")).toEqual("2");
+  // FIXME: useSelector mocks prevent updateUsers from being called
+  // expect(mockUpdateUsers).toHaveBeenCalledWith({
+  //   ...defaultUpdateUsersParams,
+  //   offset: 2,
+  // });
 });

 test("Server delete button exists for named servers", async () => {
--- a/jsx/src/util/_recompose.js
+++ b/jsx/src/util/_recompose.js
@@ -0,0 +1,35 @@
+// extracted tiny subset we use from react-recompose
+// we probably don't need these at all,
+// but vendor before refactoring
+
+// https://github.com/acdlite/recompose
+// License: MIT
+// Copyright (c) 2015-2018 Andrew Clark
+
+import { createElement } from "react";
+
+function createFactory(type) {
+  return createElement.bind(null, type);
+}
+
+export const compose = (...funcs) =>
+  funcs.reduce(
+    (a, b) =>
+      (...args) =>
+        a(b(...args)),
+    (arg) => arg,
+  );
+
+const mapProps = (propsMapper) => (BaseComponent) => {
+  const factory = createFactory(BaseComponent);
+  const MapProps = (props) => factory(propsMapper(props));
+  return MapProps;
+};
+
+export const withProps = (input) => {
+  const hoc = mapProps((props) => ({
+    ...props,
+    ...(typeof input === "function" ? input(props) : input),
+  }));
+  return hoc;
+};
--- a/jsx/src/util/jhapiUtil.js
+++ b/jsx/src/util/jhapiUtil.js
@@ -1,3 +1,5 @@
+import PropTypes from "prop-types";
+
 const jhdata = window.jhdata || {};
 const base_url = jhdata.base_url || "/";
 const xsrfToken = jhdata.xsrf_token;
@@ -17,3 +19,21 @@ export const jhapiRequest = (endpoint, method, data) => {
    body: data ? JSON.stringify(data) : null,
  });
 };
+
+// need to declare the subset of fields we use, at least
+export const Server = PropTypes.shape({
+  name: PropTypes.string,
+  url: PropTypes.string,
+  active: PropTypes.boolean,
+  pending: PropTypes.string,
+  last_activity: PropTypes.string,
+});
+
+export const User = PropTypes.shape({
+  admin: PropTypes.boolean,
+  name: PropTypes.string,
+  last_activity: PropTypes.string,
+  url: PropTypes.string,
+  server: Server,
+  servers: PropTypes.objectOf(Server),
+});
--- a/jsx/src/util/layout.jsx
+++ b/jsx/src/util/layout.jsx
@@ -1,7 +1,7 @@
 import React from "react";
-import { withProps } from "recompose";
 import { Col, Row, Container } from "react-bootstrap";
 import PropTypes from "prop-types";
+import { withProps } from "./_recompose";
 import ErrorAlert from "./error";

 export const MainCol = (props) => {
--- a/jsx/src/util/paginationParams.js
+++ b/jsx/src/util/paginationParams.js
@@ -1,5 +1,5 @@
 import { debounce } from "lodash";
-import { useSearchParams } from "react-router-dom";
+import { useSearchParams } from "react-router";

 export const usePaginationParams = () => {
  // get offset, limit, name filter from URL
--- a/jsx/src/util/withAPI.js
+++ b/jsx/src/util/withAPI.js
@@ -1,4 +1,4 @@
-import { withProps } from "recompose";
+import { withProps } from "./_recompose";
 import { jhapiRequest } from "./jhapiUtil";

 const withAPI = withProps(() => ({
@@ -30,7 +30,17 @@ const withAPI = withProps(() => ({
  startAll: (names) =>
    names.map((e) => jhapiRequest("/users/" + e + "/server", "POST")),
  stopAll: (names) =>
-    names.map((e) => jhapiRequest("/users/" + e + "/server", "DELETE")),
+    names.map((name) =>
+      jhapiRequest("/users/" + name, "GET")
+        .then((data) => data.json())
+        .then((data) =>
+          Promise.all(
+            Object.keys(data.servers).map((server) =>
+              jhapiRequest("/users/" + name + "/servers/" + server, "DELETE"),
+            ),
+          ),
+        ),
+    ),
  addToGroup: (users, groupname) =>
    jhapiRequest("/groups/" + groupname + "/users", "POST", { users }),
  updateProp: (propobject, groupname) =>
--- a/jsx/testing/setup.jest.js
+++ b/jsx/testing/setup.jest.js
@@ -0,0 +1,5 @@
+// Workaround "ReferenceError: TextEncoder is not defined"
+// https://stackoverflow.com/questions/68468203/why-am-i-getting-textencoder-is-not-defined-in-jest/68468204#68468204
+// https://jestjs.io/docs/configuration#setupfiles-array
+import { TextEncoder, TextDecoder } from "util";
+Object.assign(global, { TextDecoder, TextEncoder });
--- a/jupyterhub/_version.py
+++ b/jupyterhub/_version.py
@@ -3,7 +3,7 @@
 # Copyright (c) Jupyter Development Team.
 # Distributed under the terms of the Modified BSD License.
 # version_info updated by running `tbump`
-version_info = (5, 2, 1, "", "")
+version_info = (5, 4, 0, "", "")

 # pep 440 version: no dot before beta/rc, but before .dev
 # 0.1.0rc1
--- a/jupyterhub/_xsrf_utils.py
+++ b/jupyterhub/_xsrf_utils.py
@@ -10,7 +10,9 @@ in both Hub and single-user code

 import base64
 import hashlib
+import os
 from http.cookies import SimpleCookie
+from ipaddress import ip_address, ip_network

 from tornado import web
 from tornado.log import app_log
@@ -104,8 +106,11 @@ def _get_xsrf_token_cookie(handler):
    return (None, None)


-def _set_xsrf_cookie(handler, xsrf_id, *, cookie_path="", authenticated=None):
+def _set_xsrf_cookie(
+    handler, xsrf_id, *, cookie_path="", authenticated=None, xsrf_token=None
+):
    """Set xsrf token cookie"""
+    if xsrf_token is None:
        xsrf_token = _create_signed_value_urlsafe(handler, "_xsrf", xsrf_id)
    xsrf_cookie_kwargs = {}
    xsrf_cookie_kwargs.update(handler.settings.get('xsrf_cookie_kwargs', {}))
@@ -128,6 +133,7 @@ def _set_xsrf_cookie(handler, xsrf_id, *, cookie_path="", authenticated=None):
        xsrf_cookie_kwargs,
    )
    handler.set_cookie("_xsrf", xsrf_token, **xsrf_cookie_kwargs)
+    return xsrf_token


 def get_xsrf_token(handler, cookie_path=""):
@@ -173,7 +179,9 @@ def get_xsrf_token(handler, cookie_path=""):
            )

    if _set_cookie:
-        _set_xsrf_cookie(handler, xsrf_id, cookie_path=cookie_path)
+        _set_xsrf_cookie(
+            handler, xsrf_id, cookie_path=cookie_path, xsrf_token=xsrf_token
+        )
    handler._xsrf_token = xsrf_token
    return xsrf_token

@@ -230,18 +238,71 @@ def check_xsrf_cookie(handler):
        )


+# allow disabling using ip in anonymous id
+def _get_anonymous_ip_cidrs():
+    """
+    List of CIDRs to consider anonymous from $JUPYTERHUB_XSRF_ANONYMOUS_IP_CIDRS
+
+    e.g. private network IPs, which likely mean proxy ips
+    and do not meaningfully distinguish users
+    (fixing proxy headers would usually fix this).
+    """
+    cidr_list_env = os.environ.get("JUPYTERHUB_XSRF_ANONYMOUS_IP_CIDRS")
+    if not cidr_list_env:
+        return []
+    return [ip_network(cidr) for cidr in cidr_list_env.split(";")]
+
+
+_anonymous_ip_cidrs = _get_anonymous_ip_cidrs()
+
+# allow specifying which headers to use for anonymous id
+# (default: User-Agent)
+# these should be stable (over a few minutes) for a single client and unlikely
+# to be shared across users
+_anonymous_id_headers = os.environ.get(
+    "JUPYTERHUB_XSRF_ANONYMOUS_ID_HEADERS", "User-Agent"
+).split(";")
+
+
 def _anonymous_xsrf_id(handler):
    """Generate an appropriate xsrf token id for an anonymous request

    Currently uses hash of request ip and user-agent

+    These are typically used only for the initial login page,
+    and don't need to be perfectly unique, just:
+
+    1. reasonably stable for a single user for the duration of a login
+       (a few requests, which may pass through different proxies)
+    2. somewhat unlikely to be shared across users
+
    These are typically used only for the initial login page,
    so only need to be valid for a few seconds to a few minutes
    (enough to submit a login form with MFA).
    """
    hasher = hashlib.sha256()
-    hasher.update(handler.request.remote_ip.encode("ascii"))
-    hasher.update(
-        handler.request.headers.get("User-Agent", "").encode("utf8", "replace")
-    )
+    ip = ip_to_hash = handler.request.remote_ip
+    try:
+        ip_addr = ip_address(ip)
+    except ValueError as e:
+        # invalid ip ?!
+        app_log.error("Error parsing remote ip %r: %s", ip, e)
+    else:
+        # if the ip is private (e.g. a cluster ip),
+        # this is almost certainly a proxy ip and not useful
+        # for distinguishing request origin.
+        # A proxy has the double downside of multiple replicas
+        # meaning the value can change from one request to the next for the
+        # same 'true' origin, resulting in unavoidable xsrf mismatch errors
+        for cidr in _anonymous_ip_cidrs:
+            if ip_addr in cidr:
+                # use matching cidr
+                ip_to_hash = str(cidr)
+                break
+    hasher.update(ip_to_hash.encode("ascii"))
+    for name in _anonymous_id_headers:
+        header = handler.request.headers.get(name, "")
+        hasher.update(header.encode("utf8", "replace"))
+        # field delimiter (should be something not valid utf8)
+        hasher.update(b"\xff")
    return base64.urlsafe_b64encode(hasher.digest()).decode("ascii")
--- a/jupyterhub/apihandlers/groups.py
+++ b/jupyterhub/apihandlers/groups.py
@@ -3,6 +3,7 @@
 # Copyright (c) Jupyter Development Team.
 # Distributed under the terms of the Modified BSD License.
 import json
+from warnings import warn

 from tornado import web

@@ -35,6 +36,11 @@ class _GroupAPIHandler(APIHandler):

    def check_authenticator_managed_groups(self):
        """Raise error on group-management APIs if Authenticator is managing groups"""
+        warn(
+            "check_authenticator_managed_groups is deprecated in JupyterHub 5.3.",
+            DeprecationWarning,
+            stacklevel=2,
+        )
        if self.authenticator.manage_groups:
            raise web.HTTPError(400, "Group management via API is disabled")

@@ -73,9 +79,6 @@ class GroupListAPIHandler(_GroupAPIHandler):
    @needs_scope('admin:groups')
    async def post(self):
        """POST creates Multiple groups"""
-
-        self.check_authenticator_managed_groups()
-
        model = self.get_json_body()
        if not model or not isinstance(model, dict) or not model.get('groups'):
            raise web.HTTPError(400, "Must specify at least one group to create")
@@ -115,7 +118,6 @@ class GroupAPIHandler(_GroupAPIHandler):
    @needs_scope('admin:groups')
    async def post(self, group_name):
        """POST creates a group by name"""
-        self.check_authenticator_managed_groups()
        model = self.get_json_body()
        if model is None:
            model = {}
@@ -143,7 +145,6 @@ class GroupAPIHandler(_GroupAPIHandler):
    @needs_scope('delete:groups')
    def delete(self, group_name):
        """Delete a group by name"""
-        self.check_authenticator_managed_groups()
        group = self.find_group(group_name)
        self.log.info("Deleting group %s", group_name)
        self.db.delete(group)
@@ -157,7 +158,6 @@ class GroupUsersAPIHandler(_GroupAPIHandler):
    @needs_scope('groups')
    def post(self, group_name):
        """POST adds users to a group"""
-        self.check_authenticator_managed_groups()
        group = self.find_group(group_name)
        data = self.get_json_body()
        self._check_group_model(data)
@@ -176,7 +176,6 @@ class GroupUsersAPIHandler(_GroupAPIHandler):
    @needs_scope('groups')
    async def delete(self, group_name):
        """DELETE removes users from a group"""
-        self.check_authenticator_managed_groups()
        group = self.find_group(group_name)
        data = self.get_json_body()
        self._check_group_model(data)
--- a/jupyterhub/apihandlers/hub.py
+++ b/jupyterhub/apihandlers/hub.py
@@ -52,6 +52,17 @@ class ShutdownAPIHandler(APIHandler):


 class RootAPIHandler(APIHandler):
+    def set_default_headers(self):
+        """
+        Set any headers passed as tornado_settings['headers'].
+
+        Also responsible for setting content-type header
+        """
+        if 'Access-Control-Allow-Origin' not in self.settings.get("headers", {}):
+            # allow CORS requests to this endpoint by default
+            self.set_header('Access-Control-Allow-Origin', '*')
+        super().set_default_headers()
+
    def check_xsrf_cookie(self):
        return

--- a/jupyterhub/apihandlers/users.py
+++ b/jupyterhub/apihandlers/users.py
@@ -24,6 +24,7 @@ from ..roles import assign_default_roles
 from ..scopes import needs_scope
 from ..user import User
 from ..utils import (
+    format_exception,
    isoformat,
    iterate_until,
    maybe_future,
@@ -260,7 +261,7 @@ class UserListAPIHandler(APIHandler):
            raise web.HTTPError(400, msg)

        if not to_create:
-            raise web.HTTPError(409, "All %i users already exist" % len(usernames))
+            raise web.HTTPError(409, f"All {len(usernames)} users already exist")

        created = []
        for name in to_create:
@@ -865,15 +866,14 @@ class SpawnProgressAPIHandler(APIHandler):
                failed_event['message'] = "Spawn cancelled"
            elif f and f.done() and f.exception():
                exc = f.exception()
-                message = getattr(exc, "jupyterhub_message", str(exc))
+                message, html_message = format_exception(exc)
                failed_event['message'] = f"Spawn failed: {message}"
-                html_message = getattr(exc, "jupyterhub_html_message", "")
                if html_message:
                    failed_event['html_message'] = html_message
-                await self.send_event(failed_event)
-                return
            else:
                raise web.HTTPError(400, "%s is not starting...", spawner._log_name)
+            await self.send_event(failed_event)
+            return

        # retrieve progress events from the Spawner
        async with aclosing(
@@ -906,9 +906,8 @@ class SpawnProgressAPIHandler(APIHandler):
                failed_event['message'] = "Spawn cancelled"
            elif f and f.done() and f.exception():
                exc = f.exception()
-                message = getattr(exc, "jupyterhub_message", str(exc))
+                message, html_message = format_exception(exc)
                failed_event['message'] = f"Spawn failed: {message}"
-                html_message = getattr(exc, "jupyterhub_html_message", "")
                if html_message:
                    failed_event['html_message'] = html_message
            else:
@@ -1034,7 +1033,7 @@ class ActivityAPIHandler(APIHandler):
                        user.name,
                        server_name,
                        isoformat(last_activity),
-                        isoformat(user.last_activity),
+                        isoformat(spawner.last_activity),
                    )

        self.db.commit()
--- a/jupyterhub/app.py
+++ b/jupyterhub/app.py
@@ -32,7 +32,7 @@ from dateutil.parser import parse as parse_date
 from jinja2 import ChoiceLoader, Environment, FileSystemLoader, PrefixLoader
 from jupyter_events.logger import EventLogger
 from sqlalchemy.exc import OperationalError, SQLAlchemyError
-from sqlalchemy.orm import joinedload
+from sqlalchemy.orm import contains_eager, selectinload
 from tornado import gen, web
 from tornado.httpclient import AsyncHTTPClient
 from tornado.ioloop import IOLoop, PeriodicCallback
@@ -1692,7 +1692,11 @@ class JupyterHub(Application):
        """add a url prefix to handlers"""
        for i, tup in enumerate(handlers):
            lis = list(tup)
+            if tup[0]:
                lis[0] = url_path_join(prefix, tup[0])
+            else:
+                # the '' route should match /prefix not /prefix/
+                lis[0] = prefix.rstrip("/")
            handlers[i] = tuple(lis)
        return handlers

@@ -1922,7 +1926,11 @@ class JupyterHub(Application):
                self.internal_ssl_components_trust
            )

-            default_alt_names = ["IP:127.0.0.1", "DNS:localhost"]
+            default_alt_names = [
+                "IP:127.0.0.1",
+                "IP:0:0:0:0:0:0:0:1",
+                "DNS:localhost",
+            ]
            if self.subdomain_host:
                default_alt_names.append(
                    f"DNS:{urlparse(self.subdomain_host).hostname}"
@@ -1976,12 +1984,16 @@ class JupyterHub(Application):

            # Configure the AsyncHTTPClient. This will affect anything using
            # AsyncHTTPClient.
-            ssl_context = make_ssl_context(
-                self.internal_ssl_key,
-                self.internal_ssl_cert,
-                cafile=self.internal_ssl_ca,
+            # can't use ssl_options in case of pycurl
+            AsyncHTTPClient.configure(
+                AsyncHTTPClient.configured_class(),
+                defaults=dict(
+                    ca_certs=self.internal_ssl_ca,
+                    client_key=self.internal_ssl_key,
+                    client_cert=self.internal_ssl_cert,
+                    validate_cert=True,
+                ),
            )
-            AsyncHTTPClient.configure(None, defaults={"ssl_options": ssl_context})

    def init_db(self):
        """Create the database connection"""
@@ -3089,9 +3101,10 @@ class JupyterHub(Application):
            .filter(orm.Spawner.server != None)
            # pre-load relationships to avoid O(N active servers) queries
            .options(
-                joinedload(orm.User._orm_spawners),
-                joinedload(orm.Spawner.server),
+                contains_eager(orm.User._orm_spawners),
+                selectinload(orm.Spawner.server),
            )
+            .populate_existing()
        ):
            # instantiate Spawner wrapper and check if it's still alive
            # spawner should be running
@@ -3320,7 +3333,7 @@ class JupyterHub(Application):
        if self.pid_file:
            self.log.debug("Writing PID %i to %s", pid, self.pid_file)
            with open(self.pid_file, 'w') as f:
-                f.write('%i' % pid)
+                f.write(str(pid))

    @catch_config_error
    async def initialize(self, *args, **kwargs):
@@ -3878,6 +3891,10 @@ class JupyterHub(Application):
            tasks = [t for t in asyncio.all_tasks()]
            for t in tasks:
                self.log.debug("Task status: %s", t)
+        self._stop_event_loop()
+
+    def _stop_event_loop(self):
+        """In a method to allow tests to not do this"""
        asyncio.get_event_loop().stop()

    def stop(self):
--- a/jupyterhub/auth.py
+++ b/jupyterhub/auth.py
@@ -77,10 +77,16 @@ class Authenticator(LoggingConfigurable):
        help="""The max age (in seconds) of authentication info
        before forcing a refresh of user auth info.

-        Refreshing auth info allows, e.g. requesting/re-validating auth tokens.
+        Authenticators that support it may re-load managed groups,
+        refresh auth tokens, etc., or force a new login if auth info cannot be refreshed.

-        See :meth:`.refresh_user` for what happens when user auth info is refreshed
-        (nothing by default).
+        See :meth:`.refresh_user` for what happens when user auth info is refreshed,
+        which varies by authenticator.
+        If an Authenticator does not implement `refresh_user`,
+        auth info will never be considered stale.
+
+        Set `auth_refresh_age = 0` to disable time-based calls to `refresh_user`.
+        You can still use :attr:`refresh_pre_spawn` or :attr:`refresh_pre_stop` if `auth_refresh_age` is disabled.
        """,
    )

@@ -100,6 +106,25 @@ class Authenticator(LoggingConfigurable):
        """,
    )

+    refresh_pre_stop = Bool(
+        False,
+        config=True,
+        help="""Force refresh of auth prior to stop.
+
+        This forces :meth:`.refresh_user` to be called prior to stopping
+        a server, to ensure that auth state is up-to-date.
+
+        This can be important when e.g. auth tokens stored in auth_state may have expired,
+        but are a required part of the Spawner's shutdown steps.
+
+        If refresh_user cannot refresh the user auth data,
+        stop will fail until the user logs in again.
+        If an admin initiates the stop, it will proceed regardless.
+
+        .. versionadded:: 5.4
+        """,
+    )
+
    admin_users = Set(
        help="""
        Set of users that will be granted admin rights on this JupyterHub.
@@ -223,6 +248,7 @@ class Authenticator(LoggingConfigurable):

        Authenticator subclasses may override the default with e.g.::

+            from traitlets import default
            @default("allow_all")
            def _default_allow_all(self):
                # if _any_ auth config (depends on the Authenticator)
@@ -1218,7 +1244,7 @@ class LocalAuthenticator(Authenticator):
        cmd = [arg.replace('USERNAME', name) for arg in self.add_user_cmd]
        try:
            uid = self.uids[name]
-            cmd += ['--uid', '%d' % uid]
+            cmd += ['--uid', str(uid)]
        except KeyError:
            self.log.debug(f"No UID for user {name}")
        cmd += [name]
@@ -1497,12 +1523,19 @@ class DummyAuthenticator(Authenticator):
    password = Unicode(
        config=True,
        help="""
-        Set a global password for all users wanting to log in.
+        .. deprecated:: 5.3
        
-        This allows users with any username to log in with the same static password.
+            Setting a password in DummyAuthenticator is deprecated.
+            Use `SharedPasswordAuthenticator` instead.
        """,
    )

+    @observe("password")
+    def _password_changed(self, change):
+        msg = "DummyAuthenticator.password is deprecated in JupyterHub 5.3. Use SharedPasswordAuthenticator.user_password instead."
+        warnings.warn(msg, DeprecationWarning)
+        self.log.warning(msg)
+
    def check_allow_config(self):
        super().check_allow_config()
        self.log.warning(
@@ -1513,7 +1546,7 @@ class DummyAuthenticator(Authenticator):
        """Checks against a global password if it's been set. If not, allow any user/pass combo"""
        if self.password:
            if data['password'] == self.password:
-                return data['username']
+                return data["username"]
            return None
        return data['username']

--- a/jupyterhub/authenticators/init.py
+++ b/jupyterhub/authenticators/init.py
--- a/jupyterhub/authenticators/shared.py
+++ b/jupyterhub/authenticators/shared.py
@@ -0,0 +1,149 @@
+from secrets import compare_digest
+
+from traitlets import Unicode, validate
+
+from ..auth import Authenticator
+
+
+class SharedPasswordAuthenticator(Authenticator):
+    """
+    Authenticator with static shared passwords.
+
+    For use in short-term deployments with negligible security concerns.
+
+    Enable with::
+
+        c.JupyterHub.authenticator_class = "shared-password"
+
+    .. warning::
+        This is an insecure Authenticator only appropriate for short-term
+        deployments with no requirement to protect users from each other.
+
+        - The password is stored in plain text at rest in config
+        - Anyone with the password can login as **any user**
+        - All users are able to login as all other (non-admin) users with the same password
+    """
+
+    _USER_PASSWORD_MIN_LENGTH = 8
+    _ADMIN_PASSWORD_MIN_LENGTH = 32
+
+    user_password = Unicode(
+        None,
+        allow_none=True,
+        config=True,
+        help=f"""
+        Set a global password for all *non admin* users wanting to log in.
+
+        Must be {_USER_PASSWORD_MIN_LENGTH} characters or longer.
+
+        If not set, regular users cannot login.
+
+        If `allow_all` is True, anybody can register unlimited new users with any username by logging in with this password.
+        Users may be allowed by name by specifying `allowed_users`.
+
+        Any user will also be able to login as **any other non-admin user** with this password.
+
+        If `admin_users` is set, those users *must* use `admin_password` to log in.
+        """,
+    )
+
+    admin_password = Unicode(
+        None,
+        allow_none=True,
+        config=True,
+        help=f"""
+        Set a global password that grants *admin* privileges to users logging in with this password.
+        Only usernames declared in `admin_users` may login with this password.
+
+        Must meet the following requirements:
+
+        - Be {_ADMIN_PASSWORD_MIN_LENGTH} characters or longer
+        - Not be the same as `user_password`
+
+        If not set, admin users cannot login.
+        """,
+    )
+
+    @validate("admin_password")
+    def _validate_admin_password(self, proposal):
+        new = proposal.value
+        trait_name = f"{self.__class__.__name__}.{proposal.trait.name}"
+
+        if not new:
+            # no admin password; do nothing
+            return None
+        if len(new) < self._ADMIN_PASSWORD_MIN_LENGTH:
+            raise ValueError(
+                f"{trait_name} must be at least {self._ADMIN_PASSWORD_MIN_LENGTH} characters, not {len(new)}."
+            )
+        if self.user_password == new:
+            # Checked here and in validating password, to ensure we don't miss issues due to ordering
+            raise ValueError(
+                f"{self.__class__.__name__}.user_password and {trait_name} cannot be the same"
+            )
+        return new
+
+    @validate("user_password")
+    def _validate_password(self, proposal):
+        new = proposal.value
+        trait_name = f"{self.__class__.__name__}.{proposal.trait.name}"
+
+        if not new:
+            # no user password; do nothing
+            return None
+        if len(new) < self._USER_PASSWORD_MIN_LENGTH:
+            raise ValueError(
+                f"{trait_name} must be at least {self._USER_PASSWORD_MIN_LENGTH} characters long, got {len(new)} characters"
+            )
+        if self.admin_password == new:
+            # Checked here and in validating password, to ensure we don't miss issues due to ordering
+            raise ValueError(
+                f"{trait_name} and {self.__class__.__name__}.admin_password cannot be the same"
+            )
+        return new
+
+    def check_allow_config(self):
+        """Validate and warn about any suspicious allow config"""
+        super().check_allow_config()
+        clsname = self.__class__.__name__
+        if self.admin_password and not self.admin_users:
+            self.log.warning(
+                f"{clsname}.admin_password set, but {clsname}.admin_users is not."
+                " No admin users will be able to login."
+                f" Add usernames to {clsname}.admin_users to grant users admin permissions."
+            )
+        if self.admin_users and not self.admin_password:
+            self.log.warning(
+                f"{clsname}.admin_users set, but {clsname}.admin_password is not."
+                " No admin users will be able to login."
+                f" Set {clsname}.admin_password to allow admins to login."
+            )
+        if not self.user_password:
+            if not self.admin_password:
+                # log as an error, but don't raise, because disabling all login is valid
+                self.log.error(
+                    f"Neither {clsname}.admin_password nor {clsname}.user_password is set."
+                    " Nobody will be able to login!"
+                )
+            else:
+                self.log.warning(
+                    f"{clsname}.user_password not set."
+                    " No non-admin users will be able to login."
+                )
+
+    async def authenticate(self, handler, data):
+        """Checks against shared password"""
+        if data["username"] in self.admin_users:
+            # Admin user
+            if self.admin_password and compare_digest(
+                data["password"], self.admin_password
+            ):
+                return {"name": data["username"], "admin": True}
+        else:
+            if self.user_password and compare_digest(
+                data["password"], self.user_password
+            ):
+                # Anyone logging in with the standard password is *never* admin
+                return {"name": data["username"], "admin": False}
+
+        return None
--- a/Show More
+++ b/Show More