The bug:
When
- the user login for the first file with a token and want to change his/her password
- and if the folder `~/.jupyter` (`jupyter_config_dir()`) does not exist
then the jupyter server will raise a `FileNotFoundError` exception and return a 500 error.
This change tries to fix this bug by ensure the folder exist so that the `config_file` can be opened.
Per Tornado's documentation:
>By default, Tornado’s secure cookies expire after 30 days.
>To change this, use the expires_days keyword argument to
>set_secure_cookie and the max_age_days argument to get_secure_cookie.
>These two values are passed separately so that you may
>e.g. have a cookie that is valid for 30 days for most purposes,
>but for certain sensitive actions
>(such as changing billing information)
>you use a smaller max_age_days when reading the cookie.
With the current implementation in `auth/login.py`,
this is possible to pass the `expires_days` option
but not possible to enforce it as this is not possible
to pass `max_age_days` to `get_secure_cookie`
This makes impossible to set the cookie expiration without
using a custom `LoginHandler`.
This revision is about adding the possibility to pass options
to Tornado's `get_secure_cookie` method,
so it can be possible to set the cookies expiration,
among others.
Clearing the secure cookie makes sense when it is invalid or expired,
but clearing it when it's not sent with a request can unexpectedly log
the user out.
I ran into this with misconstructed URLs which didn't incorporate
base_url. That was itself a bug, but the result of suddenly being
unauthenticated makes it harder to track down.
Closes gh-3365 (hopefully)
Possibly also relevant to gh-2396
I'm not sure why this seems to affect Firefox more than Chrome.
When token is enabled, the login page will present a form to the user
asking them if they want to set a password at the same time. This is
almost equivalent to running `jupyter notebook password` on the command
line.
The experience can likely be better, but just submitting that as a POC
for feedback
avoids clobbering cookies when multiple notebook servers are run on one host.
Users can override `cookie_options.path = ‘/‘` if they *want* cookies to be shared across notebooks on one host.
- add NotebookApp.login_token, used when NotebookApp.password is not set
- store login_token, bool(password) in notebook server-info file
- `jupyter notebook list` shows pasteable URLs with token
General changes:
- notebook servers are now authenticated by default
- first connect with token sets a cookie
- once a user has logged into one server with a token, their browser is logged in to
all subsequent servers on the same system+port until cookie_secret changes
There was a conflict for the .login_available property on LoginHandler itself
causing the login form to render incorrectly when login_available should be False
Bibo Hao
Kerwin.Sun
Min RK
Thomas Kluyver
Denis Ledoux
maartenbreddels
Matthias Bussonnier
Kyle Kelley
jean-roch
Srinivas Reddy Thatiparthy
Chris Seymour