jupyter_server
jupyter_server copied to clipboard
Have handlers be @web.authenticated by default ?
I've seen many extension forgetting to put @web.authenticated on handlers;
I'm tempted to think that AuthenticatedFileHandler should use init_subclass – or whatever, peak at SUPPORTED_METHODS, and autowrap any handler in @web.authenticated
unless the handler is marked with a specific @public
decorator.
it's likely something like
def __init_subclass__(cls):
for verb in cls.SUPPORTED_METHODS:
meth = getattr(cls, verb, None):
if meth and not getattr(meth, '_public', None):
setattr(cls, verb, web.authenticated(meth))
Hard part is likely deprecation and detecting methods that are already in @web.authenticated
, though that should be not too hard as it set the __wrapped__
attribute and wrapping twice with @web.authenticated
should be no op.
I think from a security standpoint its a strict gain and likely a net decrease in code size as well (I can find just on this repo at least 44 mention of @web.authenticated.)
Having a secured by default core server, as extensions, sound like a feature we need. We just need to clearly document that extensions will require authentication unless the add a @public
decorator
@Zsailer I see that you had a commit referencing this issue, is there an associated PR or was it referenced by accident?