search

voila-dashboards / voila

Voilà turns Jupyter notebooks into standalone web applications
https://voila.readthedocs.io
Other
5.31k stars 497 forks source link

403 POST: '_xsrf' argument missing from POST when closing kernel #1458

Open salwon opened 2 months ago

salwon commented 2 months ago

Description

We have a Voila app running on an AWS ECS task that consistently throws the error in the title when a user closes their tab. We have auto-culling of kernels turned on as well - this error is thrown when the tab is closed even if the kernel has already been shutdown. We are handling logins to this app using our internal authentication, we don't have or need any additional XSRF protection.

Full traceback is as follows:

403 POST /app/voila/api/shutdown/7887dd81-d08e-4c0a-a4cf-7753e9e0881b: '_xsrf' argument missing from POST   
wrote error: "'_xsrf' argument missing from POST"   
Traceback (most recent call last):  
File "/root/.cache/pypoetry/virtualenvs/marigold-j2r1q8F--py3.8/lib/python3.8/site-packages/tornado/web.py", line 1769, in _execute 
result = await result # type: ignore    
File "/root/.cache/pypoetry/virtualenvs/marigold-j2r1q8F--py3.8/lib/python3.8/site-packages/jupyter_server/base/handlers.py", line 731, in prepare  
await super().prepare() 
File "/root/.cache/pypoetry/virtualenvs/marigold-j2r1q8F--py3.8/lib/python3.8/site-packages/jupyter_server/base/handlers.py", line 632, in prepare  
self.check_xsrf_cookie()    
File "/root/.cache/pypoetry/virtualenvs/marigold-j2r1q8F--py3.8/lib/python3.8/site-packages/jupyter_server/base/handlers.py", line 536, in check_xsrf_cookie    
return super().check_xsrf_cookie()  
File "/root/.cache/pypoetry/virtualenvs/marigold-j2r1q8F--py3.8/lib/python3.8/site-packages/tornado/web.py", line 1605, in check_xsrf_cookie    
raise HTTPError(403, "'_xsrf' argument missing from POST")  
tornado.web.HTTPError: HTTP 403: Forbidden ('_xsrf' argument missing from POST) 
403 POST /app/voila/api/shutdown/7887dd81-d08e-4c0a-a4cf-7753e9e0881b 2.34ms
trungleduc commented 2 months ago

Hi, could you post your version of voila and jupyter_server?

salwon commented 2 months ago

Voila 0.4.3 Jupyter_server 2.12.5

salwon commented 2 months ago

I just confirmed the same error with jupyetr-server 2.13.0 and Voila 0.5.5.

trungleduc commented 2 months ago

Thanks for reporting, I will take a look.

salwon commented 2 months ago

I'm able to get around it by adding 'disable_check_xsrf': True to my Tornado settings in Voila's arguments. I'm not sure if this is a safe/desired solution, but at least it doesn't throw the error.