I assume this means that the (former) Jupyter Notebook and Jupyter Server are not compatible with Handler, but it seems like a point that could easily be missed when migrating Extensions for the former Jupyter Notebook to nbclassic or Notebook v7. In most cases, it works under JupyterHub, so it's not a (large) problem, but it is hard to know that anyone can access the endpoint rather than losing access to it, so I believe that a warning should be given or a document should alert the user.
Build an image: docker build -t jupyter/ipython-handler-authentication-bug .
Run jupyter notebook (former notebook server): docker run --rm -p 8888:8888 -e DOCKER_STACKS_JUPYTER_CMD=notebook jupyter/ipython-handler-authentication-bug
Access the nbextensions configurator endpoint without credentials: curl -vvvv 'http://127.0.0.1:8888/nbextensions/nbextensions_configurator/list' -> It returns 403 Forbidden. (Expected behavior)
Stop the container with Ctrl-C
Run jupyter nbclassic (nbclassic with jupyter-server): docker run --rm -p 8888:8888 -e DOCKER_STACKS_JUPYTER_CMD=nbclassic jupyter/ipython-handler-authentication-bug
Access the nbextensions configurator endpoint without credentials: curl -vvvv 'http://127.0.0.1:8888/nbextensions/nbextensions_configurator/list' -> It returns 200 OK with actual response. (Unexpected behavior)
Expected behavior
I assume that endpoints created with IPythonHandler and @web.authenticated should also return 403 Forbidden or provide a warning that authentication is not valid with IPythonHandler.
@web.authenticateddecorator with IPythonHandler is not working on nbclassic and the endpoint would be accessible without authentication.Custom request handlers - Jupyter Notebook 6.5.4 mentioned that endpoints requiring authentication should use
notebook.base.handlers.IPythonHandlerand@tornado.web.authenticated, but actually onlyJupyterHandler( Server Extensions - Jupyter Server documentation) on Jupyter Server works.I assume this means that the (former) Jupyter Notebook and Jupyter Server are not compatible with Handler, but it seems like a point that could easily be missed when migrating Extensions for the former Jupyter Notebook to nbclassic or Notebook v7. In most cases, it works under JupyterHub, so it's not a (large) problem, but it is hard to know that anyone can access the endpoint rather than losing access to it, so I believe that a warning should be given or a document should alert the user.
To Reproduce To reproduce, please follow the steps below. (As a sample, using https://github.com/Jupyter-contrib/jupyter_nbextensions_configurator)
docker build -t jupyter/ipython-handler-authentication-bug .jupyter notebook(former notebook server):docker run --rm -p 8888:8888 -e DOCKER_STACKS_JUPYTER_CMD=notebook jupyter/ipython-handler-authentication-bugcurl -vvvv 'http://127.0.0.1:8888/nbextensions/nbextensions_configurator/list'-> It returns 403 Forbidden. (Expected behavior)Ctrl-Cjupyter nbclassic(nbclassic with jupyter-server):docker run --rm -p 8888:8888 -e DOCKER_STACKS_JUPYTER_CMD=nbclassic jupyter/ipython-handler-authentication-bugcurl -vvvv 'http://127.0.0.1:8888/nbextensions/nbextensions_configurator/list'-> It returns 200 OK with actual response. (Unexpected behavior)Expected behavior I assume that endpoints created with IPythonHandler and
@web.authenticatedshould also return 403 Forbidden or provide a warning that authentication is not valid with IPythonHandler.