From 3729dd02ac84641531cea940c2127ca52d09ccb2 Mon Sep 17 00:00:00 2001 From: Denis Ledoux Date: Wed, 18 Jul 2018 10:21:41 +0200 Subject: [PATCH] [FIX] notebookapp, auth: `get_secure_cookie` kwargs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per Tornado's documentation: >By default, Tornado’s secure cookies expire after 30 days. >To change this, use the expires_days keyword argument to >set_secure_cookie and the max_age_days argument to get_secure_cookie. >These two values are passed separately so that you may >e.g. have a cookie that is valid for 30 days for most purposes, >but for certain sensitive actions >(such as changing billing information) >you use a smaller max_age_days when reading the cookie. With the current implementation in `auth/login.py`, this is possible to pass the `expires_days` option but not possible to enforce it as this is not possible to pass `max_age_days` to `get_secure_cookie` This makes impossible to set the cookie expiration without using a custom `LoginHandler`. This revision is about adding the possibility to pass options to Tornado's `get_secure_cookie` method, so it can be possible to set the cookies expiration, among others. --- notebook/auth/login.py | 3 ++- notebook/notebookapp.py | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/notebook/auth/login.py b/notebook/auth/login.py index eb96263e50..14b510ccac 100644 --- a/notebook/auth/login.py +++ b/notebook/auth/login.py @@ -168,7 +168,8 @@ def get_user(cls, handler): return handler._user_id user_id = cls.get_user_token(handler) if user_id is None: - user_id = handler.get_secure_cookie(handler.cookie_name) + get_secure_cookie_kwargs = handler.settings.get('get_secure_cookie_kwargs', {}) + user_id = handler.get_secure_cookie(handler.cookie_name, **get_secure_cookie_kwargs ) else: cls.set_login_cookie(handler, user_id) # Record that the current request has been authenticated with a token. diff --git a/notebook/notebookapp.py b/notebook/notebookapp.py index 64bd30f950..8b0d5b1538 100755 --- a/notebook/notebookapp.py +++ b/notebook/notebookapp.py @@ -945,6 +945,10 @@ def _update_webapp_settings(self, change): help=_("Extra keyword arguments to pass to `set_secure_cookie`." " See tornado's set_secure_cookie docs for details.") ) + get_secure_cookie_kwargs = Dict(config=True, + help=_("Extra keyword arguments to pass to `get_secure_cookie`." + " See tornado's get_secure_cookie docs for details.") + ) ssl_options = Dict(config=True, help=_("""Supply SSL options for the tornado HTTPServer. See the tornado docs for details.""")) @@ -1338,6 +1342,7 @@ def init_webapp(self): self.tornado_settings['allow_origin_pat'] = re.compile(self.allow_origin_pat) self.tornado_settings['allow_credentials'] = self.allow_credentials self.tornado_settings['cookie_options'] = self.cookie_options + self.tornado_settings['get_secure_cookie_kwargs'] = self.get_secure_cookie_kwargs self.tornado_settings['token'] = self.token if (self.open_browser or self.file_to_run) and not self.password: self.one_time_token = binascii.hexlify(os.urandom(24)).decode('ascii')