Giters

jupyterhub / jupyterhub

Multi-user server for Jupyter notebooks

Home Page:https://jupyterhub.readthedocs.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

4.1.4: Admin access to another user's server results in '403: Forbidden' on the first attempt; works on subsequent attempts

benz0li opened this issue · comments

commented

Bug description

When accessing another user's server as admin, the first attempt results in

jupyterhub-4 1 4_admin-access-server_forbidden

How to reproduce

A multi-user JupyterHub + admin user + JupyterLab image with JupyterHub 4.1.4 installed.

(The user with admin access is already logged in and does not have any own server running)

Expected behaviour

Admin access to another user's server also works on the first attempt.

Actual behaviour

Admin access to another user's server results in '403: Forbidden' on the first attempt.

Logs of a JupyterLab container:

first attempt

[I 2024-04-01 09:03:11.541 ServerApp] 302 GET /user/[redacted]/ -> /user/[redacted]/lab? (@[redacted]) 1.92ms
[I 2024-04-01 09:03:11.583 ServerApp] 302 GET /user/[redacted]/lab -> /hub/api/oauth2/authorize?client_id=jupyterhub-user-[redacted]&redirect_uri=%2Fuser%2F[redacted]%2Foauth_callback&response_type=code&state=[secret] (@[redacted]) 3.40ms

second attempt

[I 2024-04-01 09:05:14.693 ServerApp] 302 GET /user/[redacted]/ -> /user/[redacted]/lab? (@[redacted]) 1.62ms
[W 2024-04-01 09:05:14.843 ServerApp] Detected unused OAuth state cookies
[I 2024-04-01 09:05:14.845 ServerApp] 302 GET /user/[redacted]/lab -> /hub/api/oauth2/authorize?client_id=jupyterhub-user-[redacted]&redirect_uri=%2Fuser%2F[redacted]%2Foauth_callback&response_type=code&state=[secret] (@[redacted]) 3.35ms
[I 2024-04-01 09:05:16.824 ServerApp] Logged-in user {'name': 'benz0li', 'kind': 'user', 'admin': True, 'groups': [], 'session_id': '3a2692192f7845f29bc5d0cc45493f02', 'scopes': ['access:servers!server=[redacted]/', 'read:users:groups!user=benz0li', 'read:users:name!user=benz0li']}
[I 2024-04-01 09:05:16.824 ServerApp] Setting new xsrf cookie for b'3a2692192f7845f29bc5d0cc45493f02:d9d013534c58576197eb2353d6be3360bcaa52192f4a8c7ba0bb0a2ecc4cd46e' {'path': '/user/[redacted]/'}
[I 2024-04-01 09:05:16.827 ServerApp] 302 GET /user/[redacted]/oauth_callback?code=[secret]&state=[secret] -> /user/[redacted]/lab (benz0li@[redacted]) 46.82ms

Your personal set up

JupyterHub: glcr.b-data.ch/jupyterhub/jupyterhub:4.1.4-oauth-docker

JupyterLab:

ℹ️ Images built with JUPYTERHUB_VERSION=4.1.4.

Ping @minrk

commented

Thanks for reporting! Can you test with a private browsing session to make sure it's starting with no cookies? It's possible there was some stale cookie state from the previous session that got cleared after success.

commented

Can you test with a private browsing session to make sure it's starting with no cookies?

Done.

It's possible there was some stale cookie state from the previous session that got cleared after success.

Seems to have been the case.

commented

Still probably something not quite right in terms of setting the value in the first place, but lower priority if trying again fixes the problem. Thanks for testing!