[FIX] notebookapp, auth: get_secure_cookie kwargs

beledouxdenis · beledouxdenis · commit 3729dd02ac84 · 2018-07-19T09:36:36.000+02:00
Per Tornado's documentation:

&gt;By default, Tornado’s secure cookies expire after 30 days.
&gt;To change this, use the expires_days keyword argument to
&gt;set_secure_cookie and the max_age_days argument to get_secure_cookie.
&gt;These two values are passed separately so that you may
&gt;e.g. have a cookie that is valid for 30 days for most purposes,
&gt;but for certain sensitive actions
&gt;(such as changing billing information)
&gt;you use a smaller max_age_days when reading the cookie.

With the current implementation in `auth/login.py`,
this is possible to pass the `expires_days` option
but not possible to enforce it as this is not possible
to pass `max_age_days` to `get_secure_cookie`

This makes impossible to set the cookie expiration without
using a custom `LoginHandler`.

This revision is about adding the possibility to pass options
to Tornado's `get_secure_cookie` method,
so it can be possible to set the cookies expiration,
among others.
diff --git a/notebook/auth/login.py b/notebook/auth/login.py
@@ -168,7 +168,8 @@ def get_user(cls, handler):
             return handler._user_id
         user_id = cls.get_user_token(handler)
         if user_id is None:
-            user_id = handler.get_secure_cookie(handler.cookie_name)
+            get_secure_cookie_kwargs  = handler.settings.get('get_secure_cookie_kwargs', {})
+            user_id = handler.get_secure_cookie(handler.cookie_name, **get_secure_cookie_kwargs )
         else:
             cls.set_login_cookie(handler, user_id)
             # Record that the current request has been authenticated with a token.
diff --git a/notebook/notebookapp.py b/notebook/notebookapp.py
@@ -945,6 +945,10 @@ def _update_webapp_settings(self, change):
         help=_("Extra keyword arguments to pass to `set_secure_cookie`."
              " See tornado's set_secure_cookie docs for details.")
     )
+    get_secure_cookie_kwargs = Dict(config=True,
+        help=_("Extra keyword arguments to pass to `get_secure_cookie`."
+             " See tornado's get_secure_cookie docs for details.")
+    )
     ssl_options = Dict(config=True,
             help=_("""Supply SSL options for the tornado HTTPServer.
             See the tornado docs for details."""))
@@ -1338,6 +1342,7 @@ def init_webapp(self):
             self.tornado_settings['allow_origin_pat'] = re.compile(self.allow_origin_pat)
         self.tornado_settings['allow_credentials'] = self.allow_credentials
         self.tornado_settings['cookie_options'] = self.cookie_options
+        self.tornado_settings['get_secure_cookie_kwargs'] = self.get_secure_cookie_kwargs
         self.tornado_settings['token'] = self.token
         if (self.open_browser or self.file_to_run) and not self.password:
             self.one_time_token = binascii.hexlify(os.urandom(24)).decode('ascii')
