8 Commits (efdbef117f17ecdf1b8bbae00aabdcef141d6f02)

Author	SHA1	Message	Date
Min RK	fb8640a072	add token_authenticated property ... indicates if a token is used for authentication, in which case xsrf checks should be skipped.	9 years ago
Kyle Kelley	ab791441b2	Backport PR #1938: don't check origin on token-authenticated requests ... adds LoginHandler.should_check_origin classmethod API While testing, I noticed that we were checking origin and authentication on CSP violation reports, but browsers are sending CSP reports with no Origin, meaning that no CSP report will ever be accepted. That doesn't make sense to me, so I disabled both - a CSP report can now be made from *anywhere* (no auth, no check). rgbkrk does that sound right to you? Or should it be authenticated but no origin check? Signed-off-by: Min RK <benjaminrk@gmail.com>	9 years ago
Kyle Kelley	754f397e9e	Backport PR #1831: enable token-authentication by default ... - add `NotebookApp.login_token`, used when `NotebookApp.password` is not set - store login_token, bool(password) in notebook server-info file - token is passed in the URL as `?token=long-token` - `jupyter notebook list` shows pasteable URLs with token Practical effects: - notebook servers are now authenticated by default - first connect with token sets a cookie - once a user has logged into one server with a token, their browser is logged in to all subsequent servers on the same system+port until cookie_secret changes. - users can no longer type the simple host:port into their browser to connect, until after the first successful login via token(simple URLs are fine if password is enabled). Truly public servers, such as tmpnb, will need to set `NotebookApp.token=''` to fully disable auth. cc Carreau, ellisonbg, rgbkrk, parente	9 years ago
Matthias Bussonnier	48f809bca7	Backport PR #1642: include cross-origin check when allowing login URL redirects ... allows cross-origin setups to use the login page and redirect back	10 years ago
Min RK	4f7825fe92	Backport PR #1231: Add `cookie_options` to make cookie args configurable ... also make cookies httponly by default, since we do not need or want access to cookies in js	10 years ago
Chris Seymour	6880715826	Use a 401 status code for invalid login attempts. Fixes #384	11 years ago
Min RK	acbe5cc442	restrict login redirect to notebook app ... prevents redirect to other websites from login page	11 years ago
Min RK	d71a59cc9f	s/jupyter_notebook/notebook	11 years ago