Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

@web.authenticated decorator with IPythonHandler is not working on nbclassic #271

Open
yacchin1205 opened this issue May 30, 2023 · 0 comments
Labels
bug Something isn't working documentation Improvements or additions to documentation

Comments

@yacchin1205
Copy link

yacchin1205 commented May 30, 2023

@web.authenticated decorator with IPythonHandler is not working on nbclassic and the endpoint would be accessible without authentication.

Custom request handlers - Jupyter Notebook 6.5.4 mentioned that endpoints requiring authentication should use notebook.base.handlers.IPythonHandler and @tornado.web.authenticated, but actually only JupyterHandler ( Server Extensions - Jupyter Server documentation) on Jupyter Server works.

I assume this means that the (former) Jupyter Notebook and Jupyter Server are not compatible with Handler, but it seems like a point that could easily be missed when migrating Extensions for the former Jupyter Notebook to nbclassic or Notebook v7. In most cases, it works under JupyterHub, so it's not a (large) problem, but it is hard to know that anyone can access the endpoint rather than losing access to it, so I believe that a warning should be given or a document should alert the user.

To Reproduce
To reproduce, please follow the steps below.
(As a sample, using https://github.com/Jupyter-contrib/jupyter_nbextensions_configurator)

  1. Download Dockerfile from https://gist.github.com/yacchin1205/532509f59b1815bdb4624a08db1e4f9c
  2. Build an image: docker build -t jupyter/ipython-handler-authentication-bug .
  3. Run jupyter notebook (former notebook server): docker run --rm -p 8888:8888 -e DOCKER_STACKS_JUPYTER_CMD=notebook jupyter/ipython-handler-authentication-bug
  4. Access the nbextensions configurator endpoint without credentials: curl -vvvv 'http://127.0.0.1:8888/nbextensions/nbextensions_configurator/list' -> It returns 403 Forbidden. (Expected behavior)
  5. Stop the container with Ctrl-C
  6. Run jupyter nbclassic (nbclassic with jupyter-server): docker run --rm -p 8888:8888 -e DOCKER_STACKS_JUPYTER_CMD=nbclassic jupyter/ipython-handler-authentication-bug
  7. Access the nbextensions configurator endpoint without credentials: curl -vvvv 'http://127.0.0.1:8888/nbextensions/nbextensions_configurator/list' -> It returns 200 OK with actual response. (Unexpected behavior)

Expected behavior
I assume that endpoints created with IPythonHandler and @web.authenticated should also return 403 Forbidden or provide a warning that authentication is not valid with IPythonHandler.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working documentation Improvements or additions to documentation
Projects
None yet
Development

No branches or pull requests

2 participants