Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

@web.authenticated decorator with IPythonHandler is not working on nbclassic #271

Open
yacchin1205 opened this issue May 30, 2023 · 0 comments
Open

@web.authenticated decorator with IPythonHandler is not working on nbclassic #271

yacchin1205 opened this issue May 30, 2023 · 0 comments
Labels
bug Something isn't working documentation Improvements or additions to documentation

Comments

@yacchin1205
Copy link

yacchin1205 commented May 30, 2023
edited
Loading

@web.authenticated decorator with IPythonHandler is not working on nbclassic and the endpoint would be accessible without authentication.

Custom request handlers - Jupyter Notebook 6.5.4 mentioned that endpoints requiring authentication should use notebook.base.handlers.IPythonHandler and @tornado.web.authenticated, but actually only JupyterHandler ( Server Extensions - Jupyter Server documentation) on Jupyter Server works.

I assume this means that the (former) Jupyter Notebook and Jupyter Server are not compatible with Handler, but it seems like a point that could easily be missed when migrating Extensions for the former Jupyter Notebook to nbclassic or Notebook v7. In most cases, it works under JupyterHub, so it's not a (large) problem, but it is hard to know that anyone can access the endpoint rather than losing access to it, so I believe that a warning should be given or a document should alert the user.

To Reproduce
To reproduce, please follow the steps below.
(As a sample, using https://github.com/Jupyter-contrib/jupyter_nbextensions_configurator)

  1. Download Dockerfile from https://gist.github.com/yacchin1205/532509f59b1815bdb4624a08db1e4f9c
  2. Build an image: docker build -t jupyter/ipython-handler-authentication-bug .
  3. Run jupyter notebook (former notebook server): docker run --rm -p 8888:8888 -e DOCKER_STACKS_JUPYTER_CMD=notebook jupyter/ipython-handler-authentication-bug
  4. Access the nbextensions configurator endpoint without credentials: curl -vvvv 'http://127.0.0.1:8888/nbextensions/nbextensions_configurator/list' -> It returns 403 Forbidden. (Expected behavior)
  5. Stop the container with Ctrl-C
  6. Run jupyter nbclassic (nbclassic with jupyter-server): docker run --rm -p 8888:8888 -e DOCKER_STACKS_JUPYTER_CMD=nbclassic jupyter/ipython-handler-authentication-bug
  7. Access the nbextensions configurator endpoint without credentials: curl -vvvv 'http://127.0.0.1:8888/nbextensions/nbextensions_configurator/list' -> It returns 200 OK with actual response. (Unexpected behavior)

Expected behavior
I assume that endpoints created with IPythonHandler and @web.authenticated should also return 403 Forbidden or provide a warning that authentication is not valid with IPythonHandler.
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug Something isn't working documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yacchin1205 @RRosio