place JupyterHub token in JupyterLab PageConfig

restores token field useful for javascript-originating API requests, removed in 1.5 / 2.0 for security reasons because it was the wrong token. This places the _user's_ token in PageConfig, so it should have the right permissions. requires jupyterlab_server 2.9, has no effect on earlier versions.
jupyterhub · Mar 1, 2022 · a0b60f9 · a0b60f9
1 parent 27cb564
commit a0b60f9
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/jupyterhub/singleuser/mixins.py b/jupyterhub/singleuser/mixins.py
@@ -16,7 +16,6 @@
 import secrets
 import sys
 import warnings
-from datetime import datetime
 from datetime import timezone
 from importlib import import_module
 from textwrap import dedent
@@ -680,6 +679,7 @@ def init_webapp(self):
         s['hub_prefix'] = self.hub_prefix
         s['hub_host'] = self.hub_host
         s['hub_auth'] = self.hub_auth
+        s['page_config_hook'] = self.page_config_hook
         csp_report_uri = s['csp_report_uri'] = self.hub_host + url_path_join(
             self.hub_prefix, 'security/csp-report'
         )
@@ -707,6 +707,18 @@ def init_webapp(self):
         self.patch_default_headers()
         self.patch_templates()
 
+    def page_config_hook(self, handler, page_config):
+        """JupyterLab page config hook
+
+        Adds JupyterHub info to page config.
+
+        Places the JupyterHub API token in PageConfig.token.
+
+        Only has effect on jupyterlab_server >=2.9
+        """
+        page_config["token"] = self.hub_auth.get_token(handler) or ""
+        return page_config
+
     def patch_default_headers(self):
         if hasattr(RequestHandler, '_orig_set_default_headers'):
             return