use tornado xsrf token in API

- Cookie-authenticated API requests must use set X-XSRFToken header
- add utils.ajax for making ajax requests, adding xsrf header from default location

Author: minrk

notebook/base/handlers.py

@@ -359,7 +359,7 @@ def template_namespace(self):
             ignore_minified_js=self.ignore_minified_js,
             xsrf_form_html=self.xsrf_form_html,
             token=self.token,
-            xsrf_token=self.xsrf_token,
+            xsrf_token=self.xsrf_token.decode('utf8'),
             **self.jinja_template_vars
         )
 

notebook/static/base/js/utils.js

@@ -527,7 +527,7 @@ define([
 
     var to_absolute_cursor_pos = function (cm, cursor) {
         console.warn('`utils.to_absolute_cursor_pos(cm, pos)` is deprecated. Use `cm.indexFromPos(cursor)`');
-        return cm.indexFromPos(cusrsor);
+        return cm.indexFromPos(cursor);
     };
 
     var from_absolute_cursor_pos = function (cm, cursor_pos) {
@@ -676,6 +676,29 @@ define([
         return wrapped_error;
     };
 
+    var ajax = function (url, settings) {
+        // like $.ajax, but ensure Authorization header is set
+        settings = _add_auth_header(settings);
+        return $.ajax(url, settings);
+    };
+
+    var _add_auth_header = function (settings) {
+        /**
+         * Adds auth header to jquery ajax settings
+         */
+        settings = settings || {};
+        if (!settings.headers) {
+            settings.headers = {};
+        }
+        if (!settings.headers.Authorization) {
+            var xsrf_token = get_body_data('xsrfToken');
+            if (xsrf_token) {
+                settings.headers['X-XSRFToken'] = xsrf_token;
+            }
+        }
+        return settings;
+    };
+
     var promising_ajax = function(url, settings) {
         /**
          * Like $.ajax, but returning an ES6 promise. success and error settings
@@ -690,7 +713,7 @@ define([
                 log_ajax_error(jqXHR, status, error);
                 reject(wrap_ajax_error(jqXHR, status, error));
             };
-            $.ajax(url, settings);
+            ajax(url, settings);
         });
     };
 
@@ -880,10 +903,11 @@ define([
         is_or_has : is_or_has,
         is_focused : is_focused,
         mergeopt: mergeopt,
-        ajax_error_msg : ajax_error_msg,
-        log_ajax_error : log_ajax_error,
         requireCodeMirrorMode : requireCodeMirrorMode,
         XHR_ERROR : XHR_ERROR,
+        ajax : ajax,
+        ajax_error_msg : ajax_error_msg,
+        log_ajax_error : log_ajax_error,
         wrap_ajax_error : wrap_ajax_error,
         promising_ajax : promising_ajax,
         WrappedError: WrappedError,

notebook/static/services/kernels/kernel.js

@@ -151,7 +151,7 @@ define([
      * @param {function} [error] - functon executed on ajax error
      */
     Kernel.prototype.list = function (success, error) {
-        $.ajax(this.kernel_service_url, {
+        utils.ajax(this.kernel_service_url, {
             processData: false,
             cache: false,
             type: "GET",
@@ -193,7 +193,7 @@ define([
             }
         };
 
-        $.ajax(url, {
+        utils.ajax(url, {
             processData: false,
             cache: false,
             type: "POST",
@@ -217,7 +217,7 @@ define([
      * @param {function} [error] - functon executed on ajax error
      */
     Kernel.prototype.get_info = function (success, error) {
-        $.ajax(this.kernel_url, {
+        utils.ajax(this.kernel_url, {
             processData: false,
             cache: false,
             type: "GET",
@@ -243,7 +243,7 @@ define([
     Kernel.prototype.kill = function (success, error) {
         this.events.trigger('kernel_killed.Kernel', {kernel: this});
         this._kernel_dead();
-        $.ajax(this.kernel_url, {
+        utils.ajax(this.kernel_url, {
             processData: false,
             cache: false,
             type: "DELETE",
@@ -277,7 +277,7 @@ define([
         };
 
         var url = utils.url_path_join(this.kernel_url, 'interrupt');
-        $.ajax(url, {
+        utils.ajax(url, {
             processData: false,
             cache: false,
             type: "POST",
@@ -319,7 +319,7 @@ define([
         };
 
         var url = utils.url_path_join(this.kernel_url, 'restart');
-        $.ajax(url, {
+        utils.ajax(url, {
             processData: false,
             cache: false,
             type: "POST",

notebook/static/services/sessions/session.js

@@ -77,7 +77,7 @@ define([
      * @param {function} [error] - functon executed on ajax error
      */
     Session.prototype.list = function (success, error) {
-        $.ajax(this.session_service_url, {
+        utils.ajax(this.session_service_url, {
             processData: false,
             cache: false,
             type: "GET",
@@ -118,7 +118,7 @@ define([
             }
         };
 
-        $.ajax(this.session_service_url, {
+        utils.ajax(this.session_service_url, {
             processData: false,
             cache: false,
             type: "POST",
@@ -140,7 +140,7 @@ define([
      * @param {function} [error] - functon executed on ajax error
      */
     Session.prototype.get_info = function (success, error) {
-        $.ajax(this.session_url, {
+        utils.ajax(this.session_url, {
             processData: false,
             cache: false,
             type: "GET",
@@ -166,7 +166,7 @@ define([
             this.notebook_model.path = path;
         }
 
-        $.ajax(this.session_url, {
+        utils.ajax(this.session_url, {
             processData: false,
             cache: false,
             type: "PATCH",
@@ -193,7 +193,7 @@ define([
             this.kernel._kernel_dead();
         }
 
-        $.ajax(this.session_url, {
+        utils.ajax(this.session_url, {
             processData: false,
             cache: false,
             type: "DELETE",

notebook/static/tree/js/notebooklist.js

@@ -632,7 +632,7 @@ define([
                 'api/sessions',
                 encodeURIComponent(session.id)
             );
-            $.ajax(url, settings);
+            utils.ajax(url, settings);
         }
     };
 

notebook/static/tree/js/sessionlist.js

@@ -63,7 +63,7 @@ define([
             error : utils.log_ajax_error,
         };
         var url = utils.url_path_join(this.base_url, 'api/sessions');
-        $.ajax(url, settings);
+        utils.ajax(url, settings);
     };
 
     SesssionList.prototype.sessions_loaded = function(data){

notebook/static/tree/js/terminallist.js

@@ -61,12 +61,12 @@ define([
             this.base_url,
             'api/terminals'
         );
-        $.ajax(url, settings);
+        utils.ajax(url, settings);
     };
 
     TerminalList.prototype.load_terminals = function() {
         var url = utils.url_path_join(this.base_url, 'api/terminals');
-        $.ajax(url, {
+        utils.ajax(url, {
             type: "GET",
             cache: false,
             dataType: "json",
@@ -114,7 +114,7 @@ define([
                 };
                 var url = utils.url_path_join(that.base_url, 'api/terminals',
                     utils.encode_uri_components(name));
-                $.ajax(url, settings);
+                utils.ajax(url, settings);
                 return false;
             });
         item.find(".item_buttons").text("").append(shutdown_button);

notebook/templates/page.html

@@ -113,7 +113,14 @@
 
 </head>
 
-<body class="{% block bodyclasses %}{% endblock %}" {% block params %}{% endblock %}>
+<body class="{% block bodyclasses %}{% endblock %}"
+ {% block params %}
+  data-xsrf-token="{{xsrf_token | urlencode}}"
+  {% if logged_in and token %}
+    data-jupyter-api-token="{{token | urlencode}}"
+  {% endif %}
+ {% endblock params %}
+>
 
 <noscript>
     <div id='noscript'>