avoids clobbering cookies when multiple notebook servers are run on one host.
Users can override `cookie_options.path = ‘/‘` if they *want* cookies to be shared across notebooks on one host.
we already apply this logic in our server-side checks,
but browsers check `Access-Control-Allow-Origin` headers themselves as well,
meaning that token-authenticated requests can’t be made cross-origin without CORS headers from browsers,
only scripts.
This makes default browser and server-side origin checks consistent
get_current_user is called in a few places that really shouldn’t raise
move the raising to `get_login_url`, which is called in `@web.authenticated`,
where we want to replace redirect logic with 403.
When starting a kernel using the Jupyter Notebook Kernel API, web
browsers will automatically check for the presence of `x-xsrftoken` in
the Access-Control-Allow-Headers during the preflight CORS check
([ref][ref]).
[ref]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers
Since we didn't allow this header before, web browsers would fail the
preflight check even when the x-xsrftoken header isn't being used by the
notebook server.
This meant that running a webpage on localhost:8080 that used Javascript
to start a kernel on a notebook server running on localhost:8888 would
fail.
How I tested this commit:
1. Start a notebook server using
jupyter notebook --no-browser --NotebookApp.allow_origin="*" --NotebookApp.disable_check_xsrf=True --NotebookApp.token=''
2. Build the [web3](https://github.com/jupyter-widgets/ipywidgets/tree/master/examples/web3) example from ipywidgets.
3. In that directory, run `npm run host`.
4. Verify that visiting http://localhost:8080/ starts a kernel in the notebook server.
Use a copy to avoid writing content security policy into settings['headers'],
which can be a problem because APIHandlers have a stricter CSP than page handlers.
If an API request is made before the first page request, pages will fail to load due to CSP violations.
This commit fixes issue #1387 by adding a file `robots.txt`
that makes robots go away.
This commit is also similar to
316665e5d7
as it also adds the `favicon.ico`.
add /api/status endpoint for retrieving current status
includes
- started: start time of the server
- last_activity: latest activity across all endpoints
- connections: number of current connections
- kernels: number of current kernels
- Cookie-authenticated API requests must use set X-XSRFToken header
- add utils.ajax for making ajax requests, adding xsrf header from default location
- add NotebookApp.login_token, used when NotebookApp.password is not set
- store login_token, bool(password) in notebook server-info file
- `jupyter notebook list` shows pasteable URLs with token
General changes:
- notebook servers are now authenticated by default
- first connect with token sets a cookie
- once a user has logged into one server with a token, their browser is logged in to
all subsequent servers on the same system+port until cookie_secret changes
There was a conflict for the .login_available property on LoginHandler itself
causing the login form to render incorrectly when login_available should be False
Commit 65eb248209 introduced a bug by not allowing the POST method in OPTIONS requests (which is wrong since several parts of the API accept POST requests, for example creating a new kernel).
Thomas Kluyver
Min RK
Sam Lau
Grant Nestor
Anastasis Germanidis
Thomas Kluyver
Krista
Jason Grout
wenjun.swj
Bernhard Liebl
chultquist