Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Include XSRF token in userprofile request #1778

Merged
merged 3 commits into from
May 8, 2024
Merged

Conversation

minrk
Copy link
Contributor

@minrk minrk commented May 3, 2024

JupyterHub 4.1 applies XSRF checks consistently to authenticated GET requests, so apply the same getCylcHeaders logic in the graphQL POST request to all requests (userprofile was the only other one I found). As a result, the getCylcHeaders is moved to a common location in utils/url, rather than being confined to graphQL.

This solves the userprofile request, described in jupyterhub/jupyterhub#4800

Together with cylc/cylc-uiserver#592, cylc works with JupyterHub 4.1.5

Check List

  • I have read CONTRIBUTING.md and added my name as a Code Contributor.
  • Contains logically grouped changes (else tidy your branch by rebase).
  • Does not contain off-topic changes (use other PRs for other changes).
  • Tests are not needed for this change
  • CHANGES.md entry included if this is a change that can affect users

minrk added 3 commits May 3, 2024 10:34
moves getCylcHeaders to utils/url as a common utility to be applied to all requests
@oliver-sanders oliver-sanders added the bug Something isn't working label May 3, 2024
@oliver-sanders oliver-sanders added this to the 2.5.0 milestone May 3, 2024
@oliver-sanders
Copy link
Member

Many thanks for your fixes @minrk, greatly appreciated!

@minrk
Copy link
Contributor Author

minrk commented May 3, 2024

Worth linking this comment where I suggested using API tokens to make API requests, which avoids all xsrf fiddliness. This PR is the smallest change to keep things working as they are.

I didn't make the API token change because I don't know the best way to get the token from the Python to javascript in your stack, but if someone wants to take that on, the token is available as token = self.hub_auth.get_token(self) when using JupyterHub authentication, and can then be injected into templates for authenticated pages, etc.

Copy link
Member

@oliver-sanders oliver-sanders left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, tested with JupyterHub 4.1.5, couldn't force a page load error. Many thanks!

@oliver-sanders oliver-sanders merged commit 44ad373 into cylc:master May 8, 2024
8 of 9 checks passed
@minrk minrk deleted the xsrf branch May 8, 2024 18:25
@MetRonnie MetRonnie removed their assignment Sep 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants