From 186a82eae5f80ee2e850a0fd59037c03188d0317 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Fri, 3 May 2024 10:38:01 +0200
Subject: [PATCH 1/6] don't protect static assets from XSRF

JupyterHub 4.1 applies XSRF checks on authenticated GET requests by default
---
 cylc/uiserver/handlers.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/cylc/uiserver/handlers.py b/cylc/uiserver/handlers.py
index daed7a66..ef281dc1 100644
--- a/cylc/uiserver/handlers.py
+++ b/cylc/uiserver/handlers.py
@@ -184,6 +184,10 @@ class CylcStaticHandler(CylcAppHandler, web.StaticFileHandler):
     def initialize(self, *args, **kwargs):
         return web.StaticFileHandler.initialize(self, *args, **kwargs)
 
+    def check_xsrf_cookie(self):
+        # don't need XSRF protections on static assets
+        return
+
     @web.authenticated
     def get(self, path):
         # authenticate the static handler

From b24360996dd60033a1f22172c98181b313cb31ff Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Fri, 3 May 2024 10:41:07 +0200
Subject: [PATCH 2/6] add myself to contributors

---
 CONTRIBUTING.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 6de00e76..fc40cfe6 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -59,6 +59,7 @@ below.
  - Mel Hall
  - Christopher Bennett
  - Mark Dawson
+ - Min RK
  <!-- end-shortlog -->
 
 (All contributors are identifiable with email addresses in the git version

From 61d6a1e482bb747798abe7905a6598b6ab07151d Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Fri, 3 May 2024 10:56:05 +0200
Subject: [PATCH 3/6] changelog entry for 592

---
 changes.d/592.fix | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changes.d/592.fix

diff --git a/changes.d/592.fix b/changes.d/592.fix
new file mode 100644
index 00000000..4636b920
--- /dev/null
+++ b/changes.d/592.fix
@@ -0,0 +1 @@
+Compatibility with JupyterHub 4.1 XSRF changes for static requests
\ No newline at end of file

From 93c6815cdb4ad8ead377a2c4f5951bcec8f01120 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Fri, 3 May 2024 15:23:58 +0200
Subject: [PATCH 4/6] make sure xsrf token is set on static requests

---
 cylc/uiserver/handlers.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/cylc/uiserver/handlers.py b/cylc/uiserver/handlers.py
index ef281dc1..42c3b365 100644
--- a/cylc/uiserver/handlers.py
+++ b/cylc/uiserver/handlers.py
@@ -192,6 +192,9 @@ def check_xsrf_cookie(self):
     def get(self, path):
         # authenticate the static handler
         # this provides us with login redirection and token caching
+        # accessing xsrf_token ensures xsrf cookie is set if it needs to be,
+        # e.g. setting it during request for /index.html to be available for next request to /userprofile
+        self.xsrf_token  # noqa
         return web.StaticFileHandler.get(self, path)
 
 

From bca45045275177368c94cd7b1267bac84447d72e Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Fri, 3 May 2024 15:58:43 +0200
Subject: [PATCH 5/6] appease linter

---
 cylc/uiserver/handlers.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cylc/uiserver/handlers.py b/cylc/uiserver/handlers.py
index 42c3b365..cf07b246 100644
--- a/cylc/uiserver/handlers.py
+++ b/cylc/uiserver/handlers.py
@@ -193,7 +193,8 @@ def get(self, path):
         # authenticate the static handler
         # this provides us with login redirection and token caching
         # accessing xsrf_token ensures xsrf cookie is set if it needs to be,
-        # e.g. setting it during request for /index.html to be available for next request to /userprofile
+        # e.g. setting it during request for /index.html
+        # to be available for next request to /userprofile
         self.xsrf_token  # noqa
         return web.StaticFileHandler.get(self, path)
 

From 9d64669f4dcdc45b7b7b89badff2431a009313f1 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Fri, 3 May 2024 19:10:42 +0200
Subject: [PATCH 6/6] don't cache index.html

Co-authored-by: Ronnie Dutta <61982285+MetRonnie@users.noreply.github.com>
---
 cylc/uiserver/handlers.py | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/cylc/uiserver/handlers.py b/cylc/uiserver/handlers.py
index cf07b246..c4e50fcc 100644
--- a/cylc/uiserver/handlers.py
+++ b/cylc/uiserver/handlers.py
@@ -192,10 +192,15 @@ def check_xsrf_cookie(self):
     def get(self, path):
         # authenticate the static handler
         # this provides us with login redirection and token caching
-        # accessing xsrf_token ensures xsrf cookie is set if it needs to be,
-        # e.g. setting it during request for /index.html
-        # to be available for next request to /userprofile
-        self.xsrf_token  # noqa
+        if not path:
+            # Request for /index.html
+            # Accessing xsrf_token ensures xsrf cookie is set
+            # to be available for next request to /userprofile
+            self.xsrf_token
+            # Ensure request goes through this method even when cached so
+            # that the xsrf cookie is set on new browser sessions
+            # (doesn't prevent browser storing the response):
+            self.set_header('Cache-Control', 'no-cache')
         return web.StaticFileHandler.get(self, path)