use tornado xsrf token in API

- Cookie-authenticated API requests must use set X-XSRFToken header - add utils.ajax for making ajax requests, adding xsrf header from default location
10 years ago · 9478a6b82b
parent 70e79a0ad6
commit 9478a6b82b
8 changed files with 53 additions and 22 deletions
--- a/notebook/base/handlers.py
+++ b/notebook/base/handlers.py
@ -362,7 +362,7 @@ class IPythonHandler(AuthenticatedHandler):
            ignore_minified_js=self.ignore_minified_js,
            xsrf_form_html=self.xsrf_form_html,
            token=self.token,
-            xsrf_token=self.xsrf_token,
+            xsrf_token=self.xsrf_token.decode('utf8'),
            **self.jinja_template_vars
        )
    
--- a/notebook/static/base/js/utils.js
+++ b/notebook/static/base/js/utils.js
@ -603,7 +603,7 @@ define([
    
    var to_absolute_cursor_pos = function (cm, cursor) {
        console.warn('`utils.to_absolute_cursor_pos(cm, pos)` is deprecated. Use `cm.indexFromPos(cursor)`');
-        return cm.indexFromPos(cusrsor);
+        return cm.indexFromPos(cursor);
    };
    
    var from_absolute_cursor_pos = function (cm, cursor_pos) {
@ -752,6 +752,29 @@ define([
        return wrapped_error;
    };
    
+    var ajax = function (url, settings) {
+        // like $.ajax, but ensure Authorization header is set
+        settings = _add_auth_header(settings);
+        return $.ajax(url, settings);
+    };
+
+    var _add_auth_header = function (settings) {
+        /**
+         * Adds auth header to jquery ajax settings
+         */
+        settings = settings || {};
+        if (!settings.headers) {
+            settings.headers = {};
+        }
+        if (!settings.headers.Authorization) {
+            var xsrf_token = get_body_data('xsrfToken');
+            if (xsrf_token) {
+                settings.headers['X-XSRFToken'] = xsrf_token;
+            }
+        }
+        return settings;
+    };
+
    var promising_ajax = function(url, settings) {
        /**
         * Like $.ajax, but returning an ES6 promise. success and error settings
@ -766,7 +789,7 @@ define([
                log_ajax_error(jqXHR, status, error);
                reject(wrap_ajax_error(jqXHR, status, error));
            };
-            $.ajax(url, settings);
+            ajax(url, settings);
        });
    };

@ -1010,10 +1033,11 @@ define([
        is_or_has : is_or_has,
        is_focused : is_focused,
        mergeopt: mergeopt,
-        ajax_error_msg : ajax_error_msg,
-        log_ajax_error : log_ajax_error,
        requireCodeMirrorMode : requireCodeMirrorMode,
        XHR_ERROR : XHR_ERROR,
+        ajax : ajax,
+        ajax_error_msg : ajax_error_msg,
+        log_ajax_error : log_ajax_error,
        wrap_ajax_error : wrap_ajax_error,
        promising_ajax : promising_ajax,
        WrappedError: WrappedError,
--- a/notebook/static/services/kernels/kernel.js
+++ b/notebook/static/services/kernels/kernel.js
@ -152,7 +152,7 @@ define([
     * @param {function} [error] - functon executed on ajax error
     */
    Kernel.prototype.list = function (success, error) {
-        $.ajax(this.kernel_service_url, {
+        utils.ajax(this.kernel_service_url, {
            processData: false,
            cache: false,
            type: "GET",
@ -194,7 +194,7 @@ define([
            }
        };

-        $.ajax(url, {
+        utils.ajax(url, {
            processData: false,
            cache: false,
            type: "POST",
@ -218,7 +218,7 @@ define([
     * @param {function} [error] - functon executed on ajax error
     */
    Kernel.prototype.get_info = function (success, error) {
-        $.ajax(this.kernel_url, {
+        utils.ajax(this.kernel_url, {
            processData: false,
            cache: false,
            type: "GET",
@ -244,7 +244,7 @@ define([
    Kernel.prototype.kill = function (success, error) {
        this.events.trigger('kernel_killed.Kernel', {kernel: this});
        this._kernel_dead();
-        $.ajax(this.kernel_url, {
+        utils.ajax(this.kernel_url, {
            processData: false,
            cache: false,
            type: "DELETE",
@ -278,7 +278,7 @@ define([
        };

        var url = utils.url_path_join(this.kernel_url, 'interrupt');
-        $.ajax(url, {
+        utils.ajax(url, {
            processData: false,
            cache: false,
            type: "POST",
@ -323,7 +323,7 @@ define([
        };

        var url = utils.url_path_join(this.kernel_url, 'restart');
-        $.ajax(url, {
+        utils.ajax(url, {
            processData: false,
            cache: false,
            type: "POST",
--- a/notebook/static/services/sessions/session.js
+++ b/notebook/static/services/sessions/session.js
@ -76,7 +76,7 @@ define([
     * @param {function} [error] - functon executed on ajax error
     */
    Session.prototype.list = function (success, error) {
-        $.ajax(this.session_service_url, {
+        utils.ajax(this.session_service_url, {
            processData: false,
            cache: false,
            type: "GET",
@ -117,7 +117,7 @@ define([
            }
        };

-        $.ajax(this.session_service_url, {
+        utils.ajax(this.session_service_url, {
            processData: false,
            cache: false,
            type: "POST",
@ -139,7 +139,7 @@ define([
     * @param {function} [error] - functon executed on ajax error
     */
    Session.prototype.get_info = function (success, error) {
-        $.ajax(this.session_url, {
+        utils.ajax(this.session_url, {
            processData: false,
            cache: false,
            type: "GET",
@ -165,7 +165,7 @@ define([
            this.notebook_model.path = path;
        }

-        $.ajax(this.session_url, {
+        utils.ajax(this.session_url, {
            processData: false,
            cache: false,
            type: "PATCH",
@ -192,7 +192,7 @@ define([
            this.kernel._kernel_dead();
        }

-        $.ajax(this.session_url, {
+        utils.ajax(this.session_url, {
            processData: false,
            cache: false,
            type: "DELETE",
--- a/notebook/static/tree/js/notebooklist.js
+++ b/notebook/static/tree/js/notebooklist.js
@ -734,7 +734,7 @@ define([
                'api/sessions',
                encodeURIComponent(session.id)
            );
-            $.ajax(url, settings);
+            utils.ajax(url, settings);
        }
    };

--- a/notebook/static/tree/js/sessionlist.js
+++ b/notebook/static/tree/js/sessionlist.js
@ -62,7 +62,7 @@ define([
            error : utils.log_ajax_error,
        };
        var url = utils.url_path_join(this.base_url, 'api/sessions');
-        $.ajax(url, settings);
+        utils.ajax(url, settings);
    };

    SesssionList.prototype.sessions_loaded = function(data){
--- a/notebook/static/tree/js/terminallist.js
+++ b/notebook/static/tree/js/terminallist.js
@ -60,12 +60,12 @@ define([
            this.base_url,
            'api/terminals'
        );
-        $.ajax(url, settings);
+        utils.ajax(url, settings);
    };
    
    TerminalList.prototype.load_terminals = function() {
        var url = utils.url_path_join(this.base_url, 'api/terminals');
-        $.ajax(url, {
+        utils.ajax(url, {
            type: "GET",
            cache: false,
            dataType: "json",
@ -113,7 +113,7 @@ define([
                };
                var url = utils.url_path_join(that.base_url, 'api/terminals',
                    utils.encode_uri_components(name));
-                $.ajax(url, settings);
+                utils.ajax(url, settings);
                return false;
            });
        item.find(".item_buttons").text("").append(shutdown_button);
--- a/notebook/templates/page.html
+++ b/notebook/templates/page.html
@ -197,7 +197,14 @@

 </head>

-<body class="{% block bodyclasses %}{% endblock %}" {% block params %}{% endblock %}>
+<body class="{% block bodyclasses %}{% endblock %}"
+ {% block params %}
+  data-xsrf-token="{{xsrf_token | urlencode}}"
+  {% if logged_in and token %}
+    data-jupyter-api-token="{{token | urlencode}}"
+  {% endif %}
+ {% endblock params %}
+>

 <noscript>
    <div id='noscript'>