include xsrf token in event stream request

JupyterHub 4.1 increases strictness of xsrf checks omitting it is no longer allowed on `Sec-Fetch: cors` requests
jupyterhub · Mar 28, 2024 · 9b7813c · 9b7813c
1 parent 518c9c8
commit 9b7813c
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 2 deletions.
diff --git a/nbgitpuller/handlers.py b/nbgitpuller/handlers.py
@@ -29,6 +29,11 @@ def __init__(self, *args, **kwargs):
         if 'git_lock' not in self.settings:
             self.settings['git_lock'] = locks.Lock()
 
+    def get_login_url(self):
+        # raise on failed auth, not redirect
+        # can't redirect EventStream to login
+        raise web.HTTPError(403)
+
     @property
     def git_lock(self):
         return self.settings['git_lock']

diff --git a/nbgitpuller/static/js/gitsync.js b/nbgitpuller/static/js/gitsync.js
@@ -1,12 +1,13 @@
 export class GitSync {
-    constructor(baseUrl, repo, branch, depth, targetpath, path) {
+    constructor(baseUrl, repo, branch, depth, targetpath, path, xsrf) {
         // Class that talks to the API backend & emits events as appropriate
         this.baseUrl = baseUrl;
         this.repo = repo;
         this.branch = branch;
         this.depth = depth;
         this.targetpath = targetpath;
         this.redirectUrl = baseUrl + path;
+        this._xsrf = xsrf;
 
         this.callbacks = {};
     }
@@ -30,6 +31,7 @@ export class GitSync {
     start() {
         // Start git pulling handled by SyncHandler, declared in handlers.py
         let syncUrlParams = new URLSearchParams({
+            _xsrf: this._xsrf,
             repo: this.repo,
             targetpath: this.targetpath
         });

diff --git a/nbgitpuller/static/js/index.js b/nbgitpuller/static/js/index.js
@@ -21,7 +21,8 @@ const gs = new GitSync(
     getBodyData('branch'),
     getBodyData('depth'),
     getBodyData('targetpath'),
-    getBodyData('path')
+    getBodyData('path'),
+    getBodyData('xsrf'),
 );
 
 const gsv = new GitSyncView(

diff --git a/nbgitpuller/templates/status.html b/nbgitpuller/templates/status.html
@@ -5,6 +5,7 @@
 data-base-url="{{ base_url | urlencode }}"
 data-repo="{{ repo | urlencode }}"
 data-path="{{ path | urlencode }}"
+data-xsrf="{{ xsrf_token | urlencode }}"
 {% if branch %}data-branch="{{ branch | urlencode }}"{% endif %}
 {% if depth %}data-depth="{{ depth | urlencode }}"{% endif %}
 data-targetpath="{{ targetpath | urlencode }}"