Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

decode bytes from secure cookie #562

Merged
merged 1 commit into from
Aug 2, 2021
Merged

decode bytes from secure cookie #562

merged 1 commit into from
Aug 2, 2021

Conversation

oliver-sanders
Copy link
Contributor

@oliver-sanders oliver-sanders commented Jul 28, 2021
edited
Loading

The get_secure_cookie interface returns bytes not str.

https://www.tornadoweb.org/en/stable/web.html#tornado.web.RequestHandler.get_secure_cookie

This fixes a minor issue where handler.get_current_user would return bytes rather than str.

Instructions to replicate

Log the result of handler.get_current_user(), minimal example:

class MyExtensionHandler(ExtensionHandlerMixin, JupyterHandler):  

    @tornado.web.authenticated
    def get(self):
        user = self.get_current_user()
        self.log.info(user)                                                 
        self.write('hello world')

Remove the token from the URL and reload the page (forces server to load the cookie value).

You should see the same token (because it was cashed in the cookie) but as bytes:

[I 2021-07-28 16:21:32.922 MyExtensionApp] 16046493615940198642c40b2fae7cb3
[I 2021-07-28 16:21:37.210 MyExtensionApp] b'16046493615940198642c40b2fae7cb3'

After this PR both should be str.

@oliver-sanders
decode bytes from secure cookie
c8a3438 
The get_secure_cookie interface returns bytes not str

https://www.tornadoweb.org/en/stable/web.html#tornado.web.RequestHandler.get_secure_cookie

This fixes a minor issue where `handler.get_current_user` would return
bytes rather than str.
@codecov-commenter
Copy link

codecov-commenter commented Jul 28, 2021
edited
Loading

Codecov Report

Merging #562 (c8a3438) into master (52e9467) will decrease coverage by 0.01%.
The diff coverage is 0.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #562      +/-   ##
==========================================
- Coverage   76.93%   76.91%   -0.02%     
==========================================
  Files         109      109              
  Lines        9948     9950       +2     
  Branches     1078     1079       +1     
==========================================
  Hits         7653     7653              
- Misses       1913     1914       +1     
- Partials      382      383       +1
Impacted Files Coverage Δ
jupyter_server/auth/login.py 68.70% <0.00%> (-1.07%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 52e9467...c8a3438. Read the comment docs.

oliver-sanders
oliver-sanders commented Jul 28, 2021
View reviewed changes
jupyter_server/auth/login.py
@@ -172,6 +172,8 @@ def get_user(cls, handler):
if user_id is None:
get_secure_cookie_kwargs = handler.settings.get('get_secure_cookie_kwargs', {})
user_id = handler.get_secure_cookie(handler.cookie_name, **get_secure_cookie_kwargs )
if user_id:
user_id = user_id.decode()
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question

Should this branch set handler._token_authenticated = True.

Technically it is "cookie authenticated", however, the cookie is based on an earlier token.

I ask because it can be useful for a handler to know when token authorisation is in use, for example:

class MyExtensionHandler(ExtensionHandlerMixin, JupyterHandler):  

    @tornado.web.authenticated
    def get(self):
        user = self.get_current_user()                                           
        if self.token_authenticated:
            user = getpass.getuser()
        self.write(f'hello {user}')

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opened #566 to follow up on this later.

@oliver-sanders
Copy link
Contributor Author

(I think the Linux/PyPy3 test failure is spurious, could someone re-run it)

@blink1073
Copy link
Contributor

(I think the Linux/PyPy3 test failure is spurious, could someone re-run it)

Kicked!

@blink1073 blink1073 added the bug label Jul 28, 2021
@blink1073 blink1073 added this to the 1.10 milestone Jul 28, 2021
@oliver-sanders
Copy link
Contributor Author

Sorted.

@Zsailer
Copy link
Member

Zsailer commented Aug 2, 2021

Thanks, @oliver-sanders. This looks good to me, but I need to check against JupyterHub's unit tests before merging (hopefully sometime today).

We need to add Jupyterhub to our downstream tests (using this configuration).

@Zsailer Zsailer mentioned this pull request Aug 2, 2021
Closed
Zsailer
Zsailer approved these changes Aug 2, 2021
View reviewed changes
Copy link
Member

@Zsailer Zsailer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested against JupyterHub and everything passes. 👍 LGTM.

@Zsailer Zsailer merged commit 7956dc5 into jupyter-server:master Aug 2, 2021
@oliver-sanders oliver-sanders deleted the decode-token branch August 3, 2021 08:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Zsailer Zsailer Zsailer approved these changes

Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
1.10
Development

Successfully merging this pull request may close these issues.
4 participants
@oliver-sanders @codecov-commenter @blink1073 @Zsailer