Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include XSRF token in userprofile request #1778

Merged
merged 3 commits into from
May 8, 2024
Merged

Include XSRF token in userprofile request #1778

merged 3 commits into from
May 8, 2024

Conversation

minrk
Copy link
Contributor

@minrk minrk commented May 3, 2024
edited by MetRonnie
Loading

JupyterHub 4.1 applies XSRF checks consistently to authenticated GET requests, so apply the same getCylcHeaders logic in the graphQL POST request to all requests (userprofile was the only other one I found). As a result, the getCylcHeaders is moved to a common location in utils/url, rather than being confined to graphQL.

This solves the userprofile request, described in jupyterhub/jupyterhub#4800

Together with cylc/cylc-uiserver#592, cylc works with JupyterHub 4.1.5

Check List

  • I have read CONTRIBUTING.md and added my name as a Code Contributor.
  • Contains logically grouped changes (else tidy your branch by rebase).
  • Does not contain off-topic changes (use other PRs for other changes).
  • Tests are not needed for this change
  • CHANGES.md entry included if this is a change that can affect users

minrk added 3 commits May 3, 2024 10:34
@minrk
set XSRF header on userprofile request
3b98ecc 
moves getCylcHeaders to utils/url as a common utility to be applied to all requests
@minrk
add myself to contributors
b0d9346
@minrk
add changelog entry for 1778
26a117d
@minrk minrk mentioned this pull request May 3, 2024
Closed
@oliver-sanders oliver-sanders added the bug Something isn't working label May 3, 2024
@oliver-sanders oliver-sanders added this to the 2.5.0 milestone May 3, 2024
@oliver-sanders
Copy link
Member

Many thanks for your fixes @minrk, greatly appreciated!

@minrk
Copy link
Contributor Author

minrk commented May 3, 2024

Worth linking this comment where I suggested using API tokens to make API requests, which avoids all xsrf fiddliness. This PR is the smallest change to keep things working as they are.

I didn't make the API token change because I don't know the best way to get the token from the Python to javascript in your stack, but if someone wants to take that on, the token is available as token = self.hub_auth.get_token(self) when using JupyterHub authentication, and can then be injected into templates for authenticated pages, etc.

oliver-sanders
oliver-sanders approved these changes May 8, 2024
View reviewed changes
Copy link
Member

@oliver-sanders oliver-sanders left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, tested with JupyterHub 4.1.5, couldn't force a page load error. Many thanks!

@oliver-sanders oliver-sanders merged commit 44ad373 into cylc:master May 8, 2024
8 of 9 checks passed
@minrk minrk deleted the xsrf branch May 8, 2024 18:25
@MetRonnie MetRonnie removed their assignment Sep 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MetRonnie MetRonnie MetRonnie approved these changes

@oliver-sanders oliver-sanders oliver-sanders approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
2.5.0
Development

Successfully merging this pull request may close these issues.
3 participants
@minrk @oliver-sanders @MetRonnie