add token_authenticated property

minrk · minrk · commit fb8640a072f7 · 2016-12-21T21:14:11.000+01:00
indicates if a token is used for authentication, in which case xsrf checks should be skipped.
diff --git a/notebook/auth/login.py b/notebook/auth/login.py
@@ -97,7 +97,7 @@ def set_login_cookie(cls, handler, user_id=None):
     auth_header_pat = re.compile('token\s+(.+)', re.IGNORECASE)
 
     @classmethod
-    def get_user_token(cls, handler):
+    def get_token(cls, handler):
         """Get the user token from a request
 
         Default:
@@ -120,11 +120,22 @@ def should_check_origin(cls, handler):
         
         Origin check should be skipped for token-authenticated requests.
         """
+        return not cls.is_token_authenticated(handler)
+    
+    @classmethod
+    def is_token_authenticated(cls, handler):
+        """Check if the handler has been authenticated by a token.
+        
+        This is used to signal certain things, such as:
+        
+        - permit access to REST API
+        - xsrf protection
+        - skip origin-checks for scripts
+        """
         if getattr(handler, '_user_id', None) is None:
             # ensure get_user has been called, so we know if we're token-authenticated
             handler.get_current_user()
-        token_authenticated = getattr(handler, '_token_authenticated', False)
-        return not token_authenticated
+        return getattr(handler, '_token_authenticated', False)
 
     @classmethod
     def get_user(cls, handler):
@@ -136,40 +147,51 @@ def get_user(cls, handler):
         # called on LoginHandler itself.
         if getattr(handler, '_user_id', None):
             return handler._user_id
-        user_id = handler.get_secure_cookie(handler.cookie_name)
-        if not user_id:
+        user_id = cls.get_user_token(handler)
+        if user_id is None:
+            user_id = handler.get_secure_cookie(handler.cookie_name)
+        else:
+            cls.set_login_cookie(handler, user_id)
+            # Record that we've been authenticated with a token.
+            # Used in should_check_origin above.
+            handler._token_authenticated = True
+        if user_id is None:
             # prevent extra Invalid cookie sig warnings:
             handler.clear_login_cookie()
-            token = handler.token
-            if not token and not handler.login_available:
+            if not handler.login_available:
                 # Completely insecure! No authentication at all.
                 # No need to warn here, though; validate_security will have already done that.
-                return 'anonymous'
-            if token:
-                # check login token from URL argument or Authorization header
-                user_token = cls.get_user_token(handler)
-                one_time_token = handler.one_time_token
-                authenticated = False
-                if user_token == token:
-                    # token-authenticated, set the login cookie
-                    handler.log.info("Accepting token-authenticated connection from %s", handler.request.remote_ip)
-                    authenticated = True
-                elif one_time_token and user_token == one_time_token:
-                    # one-time-token-authenticated, only allow this token once
-                    handler.settings.pop('one_time_token', None)
-                    handler.log.info("Accepting one-time-token-authenticated connection from %s", handler.request.remote_ip)
-                    authenticated = True
-                if authenticated:
-                    user_id = uuid.uuid4().hex
-                    cls.set_login_cookie(handler, user_id)
-                    # Record that we've been authenticated with a token.
-                    # Used in should_check_origin above.
-                    handler._token_authenticated = True
+                user_id = 'anonymous'
 
         # cache value for future retrievals on the same request
         handler._user_id = user_id
         return user_id
 
+    @classmethod
+    def get_user_token(cls, handler):
+        """Identify the user based on a token in the URL or Authorization header"""
+        token = handler.token
+        if not token:
+            return
+        # check login token from URL argument or Authorization header
+        user_token = cls.get_token(handler)
+        one_time_token = handler.one_time_token
+        authenticated = False
+        if user_token == token:
+            # token-authenticated, set the login cookie
+            handler.log.debug("Accepting token-authenticated connection from %s", handler.request.remote_ip)
+            authenticated = True
+        elif one_time_token and user_token == one_time_token:
+            # one-time-token-authenticated, only allow this token once
+            handler.settings.pop('one_time_token', None)
+            handler.log.info("Accepting one-time-token-authenticated connection from %s", handler.request.remote_ip)
+            authenticated = True
+
+        if authenticated:
+            return uuid.uuid4().hex
+        else:
+            return None
+
 
     @classmethod
     def validate_security(cls, app, ssl_options=None):
diff --git a/notebook/base/handlers.py b/notebook/base/handlers.py
@@ -48,7 +48,7 @@ def log():
 
 class AuthenticatedHandler(web.RequestHandler):
     """A RequestHandler with an authenticated user."""
-    
+
     @property
     def content_security_policy(self):
         """The default Content-Security-Policy header
@@ -95,6 +95,13 @@ def skip_check_origin(self):
             return False
         return not self.login_handler.should_check_origin(self)
 
+    @property
+    def token_authenticated(self):
+        """Have I been authenticated with a token?"""
+        if self.login_handler is None or not hasattr(self.login_handler, 'is_token_authenticated'):
+            return False
+        return self.login_handler.is_token_authenticated(self)
+
     @property
     def cookie_name(self):
         default_cookie_name = non_alphanum.sub('-', 'username-{}'.format(
@@ -314,7 +321,15 @@ def check_origin(self, origin_to_satisfy_tornado=""):
                 self.request.path, origin, host,
             )
         return allow
-    
+
+    def check_xsrf_cookie(self):
+        """Bypass xsrf checks when token-authenticated"""
+        if self.token_authenticated:
+            # Token-authenticated requests do not need additional XSRF-check
+            # Servers without authentication are vulnerable to XSRF
+            return
+        return super(IPythonHandler, self).check_xsrf_cookie()
+
     #---------------------------------------------------------------
     # template rendering
     #---------------------------------------------------------------
@@ -343,6 +358,8 @@ def template_namespace(self):
             version_hash=self.version_hash,
             ignore_minified_js=self.ignore_minified_js,
             xsrf_form_html=self.xsrf_form_html,
+            token=self.token,
+            xsrf_token=self.xsrf_token,
             **self.jinja_template_vars
         )
     
@@ -406,15 +423,6 @@ def prepare(self):
             raise web.HTTPError(404)
         return super(APIHandler, self).prepare()
 
-    def check_xsrf_cookie(self):
-        """Check non-empty body on POST for XSRF
-
-        instead of checking the cookie for forms.
-        """
-        if self.request.method.upper() == 'POST' and not self.request.body:
-            # Require non-empty POST body for XSRF
-            raise web.HTTPError(400, "POST requests must have a JSON body. If no content is needed, use '{}'.")
-
     @property
     def content_security_policy(self):
         csp = '; '.join([
