Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

decode bytes from secure cookie #562

Merged
merged 1 commit into from
Aug 2, 2021

Conversation

oliver-sanders
Copy link
Contributor

@oliver-sanders oliver-sanders commented Jul 28, 2021

The get_secure_cookie interface returns bytes not str.

https://www.tornadoweb.org/en/stable/web.html#tornado.web.RequestHandler.get_secure_cookie

This fixes a minor issue where handler.get_current_user would return bytes rather than str.

Instructions to replicate

Log the result of handler.get_current_user(), minimal example:

class MyExtensionHandler(ExtensionHandlerMixin, JupyterHandler):  

    @tornado.web.authenticated
    def get(self):
        user = self.get_current_user()
        self.log.info(user)                                                 
        self.write('hello world')  

Remove the token from the URL and reload the page (forces server to load the cookie value).

You should see the same token (because it was cashed in the cookie) but as bytes:

[I 2021-07-28 16:21:32.922 MyExtensionApp] 16046493615940198642c40b2fae7cb3
[I 2021-07-28 16:21:37.210 MyExtensionApp] b'16046493615940198642c40b2fae7cb3'

After this PR both should be str.

The get_secure_cookie interface returns bytes not str

https://www.tornadoweb.org/en/stable/web.html#tornado.web.RequestHandler.get_secure_cookie

This fixes a minor issue where `handler.get_current_user` would return
bytes rather than str.
@codecov-commenter
Copy link

codecov-commenter commented Jul 28, 2021

Codecov Report

Merging #562 (c8a3438) into master (52e9467) will decrease coverage by 0.01%.
The diff coverage is 0.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #562      +/-   ##
==========================================
- Coverage   76.93%   76.91%   -0.02%     
==========================================
  Files         109      109              
  Lines        9948     9950       +2     
  Branches     1078     1079       +1     
==========================================
  Hits         7653     7653              
- Misses       1913     1914       +1     
- Partials      382      383       +1     
Impacted Files Coverage Δ
jupyter_server/auth/login.py 68.70% <0.00%> (-1.07%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 52e9467...c8a3438. Read the comment docs.

@@ -172,6 +172,8 @@ def get_user(cls, handler):
if user_id is None:
get_secure_cookie_kwargs = handler.settings.get('get_secure_cookie_kwargs', {})
user_id = handler.get_secure_cookie(handler.cookie_name, **get_secure_cookie_kwargs )
if user_id:
user_id = user_id.decode()
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question

Should this branch set handler._token_authenticated = True.

Technically it is "cookie authenticated", however, the cookie is based on an earlier token.

I ask because it can be useful for a handler to know when token authorisation is in use, for example:

class MyExtensionHandler(ExtensionHandlerMixin, JupyterHandler):  

    @tornado.web.authenticated
    def get(self):
        user = self.get_current_user()                                           
        if self.token_authenticated:
            user = getpass.getuser()
        self.write(f'hello {user}') 

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opened #566 to follow up on this later.

@oliver-sanders
Copy link
Contributor Author

(I think the Linux/PyPy3 test failure is spurious, could someone re-run it)

@blink1073
Copy link
Contributor

(I think the Linux/PyPy3 test failure is spurious, could someone re-run it)

Kicked!

@blink1073 blink1073 added the bug label Jul 28, 2021
@blink1073 blink1073 added this to the 1.10 milestone Jul 28, 2021
@oliver-sanders
Copy link
Contributor Author

Sorted.

@Zsailer
Copy link
Member

Zsailer commented Aug 2, 2021

Thanks, @oliver-sanders. This looks good to me, but I need to check against JupyterHub's unit tests before merging (hopefully sometime today).

We need to add Jupyterhub to our downstream tests (using this configuration).

Copy link
Member

@Zsailer Zsailer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested against JupyterHub and everything passes. 👍 LGTM.

@Zsailer Zsailer merged commit 7956dc5 into jupyter-server:master Aug 2, 2021
@oliver-sanders oliver-sanders deleted the decode-token branch August 3, 2021 08:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants