Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Strip newlines from token file #6529

Open
wants to merge 1 commit into
base: 6.5.x
Choose a base branch
from
Open

Conversation

nicktimko
Copy link

It's common for text editors and shell redirection to generate a file that ends in a newline, which is then extremely difficult, if not impossible, to enter into the browser. After a...while...debugging, I realized that in generating my token file with

$ python3 -c "print(__import__('secrets').token_urlsafe())" > .tokenfile
$ xxd .tokenfile 
00000000: 6c6f 7036 7675 6637 6e38 396c 3677 7538  lop6vuf7n89l6wu8
00000010: 2d79 7039 5768 7665 755f 385a 786b 4b31  -yp9Whveu_8ZxkK1
00000020: 3034 6e35 456c 464c 4e73 510a            04n5ElFLNsQ.

There's that trailing 0a, or \n. I hot-hacked on an all-encompassing .strip() onto my local Jupyter, but just stripping \n\r is probably the most conservative. If a user really hates themselves, they can put tabs in there, or a newline in the middle.

Theoretically, this is a breaking change, but if that's the case, then I'd like to know how to get a newline in a browser's password field. 7.x/main branch seems to have radically refactored code, so I don't know where this logic is there.

If this was new, I'd probably have examined the token string and either raised a warning or just flat out refuse to start if it's a multiline string, e.g. if someone tried to generate a token but the generation failed for some reason and the file was just a traceback.

It's common for text editors and shell redirection to generate a file that ends in a newline, which is then extremely difficult, if not impossible, to enter into the browser.
@krassowski
Copy link
Member

7.x/main branch seems to have radically refactored code, so I don't know where this logic is there.

It's now in jupyter-server: https://github.com/jupyter-server/jupyter_server/blob/0c22000f6ba01c1cd0de64ffa748cc869c3abf5c/jupyter_server/auth/identity.py#L202

Maybe a warning when token contains whitespaces could be a good idea? I would suggest opening an issue over at jupyter-server to discuss.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants