Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

handle api tokens and xsrf #1847

Merged
merged 12 commits into from
May 14, 2024
Merged

handle api tokens and xsrf #1847

merged 12 commits into from
May 14, 2024

Conversation

minrk
Copy link
Member

@minrk minrk commented May 3, 2024

  • When authenticated with JupyterHub, XSRF checks are applied to GET requests, blocking the EventSource
  • switch to fetch-based EventSource implementation, since base EventSource doesn't allow headers (like websockets)
  • allow api tokens for authenticated requests, which avoids auth issues including enabling cross-origin requests to authenticated servers

fixes #1842

- XSRF checks are applied to GET requests, blocking the EventSource
- switch to fetch-based EventSource implementation, since base EventSource doesn't allow headers (like websockets)
- propagate api tokens for authenticated requests
@minrk minrk requested a review from yuvipanda May 3, 2024 12:21
// e.g. SecurityError in case of CSP Sandbox
return null;
}
const xsrfTokenMatch = cookie.match("\\b_xsrf=([^;]*)\\b");
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

regexes in anything security sensitive always make me nervous haha. Can you either add a comment here explaining what's going on, or a direct link to the specific place from @jupyterlab/services this was stolen from?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added link and explanation. It's still astonishing to me that there is no API for geting cookies by name in browsers, but it is {name}={anything but a semicolon}[; again]

@yuvipanda
Copy link
Collaborator

I think we can make the breaking change for how params are passed now! And with the tests fixed, I think this is good to go.

@minrk
Copy link
Member Author

minrk commented May 6, 2024

I have it working locally, but I've spent my whole day so far trying to get the tests to accurately describe that the code is working, but they keep failing with unhandled errors that should be handled as regular close events.

Copy link
Member

@manics manics left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested successfully with #1851

Other than a typo this looks good to me

js/packages/binderhub-client/lib/index.js Outdated Show resolved Hide resolved
js/packages/binderhub-client/lib/index.js Outdated Show resolved Hide resolved
yuvipanda and others added 2 commits May 14, 2024 15:51
Co-authored-by: Simon Li <[email protected]>
@yuvipanda
Copy link
Collaborator

Thanks for testing, @manics.

@yuvipanda yuvipanda merged commit c6c5dc8 into jupyterhub:main May 14, 2024
15 checks passed
consideRatio pushed a commit to jupyterhub/helm-chart that referenced this pull request May 14, 2024
@yuvipanda yuvipanda added breaking code:js-binderhub-client js changes to binderhub-client labels May 15, 2024
@yuvipanda
Copy link
Collaborator

I deployed this to mybinder.org too, and it seems ok.

@minrk minrk deleted the fetch-events branch May 15, 2024 08:50
@minrk
Copy link
Member Author

minrk commented May 15, 2024

Thanks for finishing this!

u10313335 added a commit to depositar/binderhub that referenced this pull request Sep 26, 2024
This reverts commit c6c5dc8, reversing
changes made to 430a3ea.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
breaking code:js-binderhub-client js changes to binderhub-client
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Authentication does not work with JupyterHub 4.1.2
3 participants