Skip to content

@web.authenticated decorator with IPythonHandler is not working on nbclassic #271

New issue
New issue
Open
Open
@web.authenticated decorator with IPythonHandler is not working on nbclassic#271
Labels
bugSomething isn't workingdocumentationImprovements or additions to documentation
@yacchin1205

Description

@yacchin1205
yacchin1205
opened on May 30, 2023

@web.authenticated decorator with IPythonHandler is not working on nbclassic and the endpoint would be accessible without authentication.

Custom request handlers - Jupyter Notebook 6.5.4 mentioned that endpoints requiring authentication should use notebook.base.handlers.IPythonHandler and @tornado.web.authenticated, but actually only JupyterHandler ( Server Extensions - Jupyter Server documentation) on Jupyter Server works.

I assume this means that the (former) Jupyter Notebook and Jupyter Server are not compatible with Handler, but it seems like a point that could easily be missed when migrating Extensions for the former Jupyter Notebook to nbclassic or Notebook v7. In most cases, it works under JupyterHub, so it's not a (large) problem, but it is hard to know that anyone can access the endpoint rather than losing access to it, so I believe that a warning should be given or a document should alert the user.

To Reproduce
To reproduce, please follow the steps below.
(As a sample, using https://github.com/Jupyter-contrib/jupyter_nbextensions_configurator)

  1. Download Dockerfile from https://gist.github.com/yacchin1205/532509f59b1815bdb4624a08db1e4f9c
  2. Build an image: docker build -t jupyter/ipython-handler-authentication-bug .
  3. Run jupyter notebook (former notebook server): docker run --rm -p 8888:8888 -e DOCKER_STACKS_JUPYTER_CMD=notebook jupyter/ipython-handler-authentication-bug
  4. Access the nbextensions configurator endpoint without credentials: curl -vvvv 'http://127.0.0.1:8888/nbextensions/nbextensions_configurator/list' -> It returns 403 Forbidden. (Expected behavior)
  5. Stop the container with Ctrl-C
  6. Run jupyter nbclassic (nbclassic with jupyter-server): docker run --rm -p 8888:8888 -e DOCKER_STACKS_JUPYTER_CMD=nbclassic jupyter/ipython-handler-authentication-bug
  7. Access the nbextensions configurator endpoint without credentials: curl -vvvv 'http://127.0.0.1:8888/nbextensions/nbextensions_configurator/list' -> It returns 200 OK with actual response. (Unexpected behavior)

Expected behavior
I assume that endpoints created with IPythonHandler and @web.authenticated should also return 403 Forbidden or provide a warning that authentication is not valid with IPythonHandler.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingdocumentationImprovements or additions to documentation

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions