Add allow_unauthenticated_access traitlet and @allow_unauthenticated

Author: krassowski

jupyter_server/auth/decorator.py

@@ -85,3 +85,30 @@ async def inner(self, *args, **kwargs):
         return cast(FuncT, wrapper(method))
 
     return cast(FuncT, wrapper)
+
+
+def allow_unauthenticated(action: Optional[FuncT] = None) -> FuncT:
+    """A decorator for tornado.web.RequestHandler methods
+    that allows any user to make the following request.
+
+    Selectively disables the 'authentication' layer of REST API which
+    is active when `ServerApp.allow_unauthenticated_access = False`.
+
+    To be used exclusively on endpoints which may be considered public,
+    for example the logic page handler.
+
+    .. versionadded:: 2.13
+
+    Parameters
+    ----------
+    method : str
+        the endpoint method to remove authentication from.
+    """
+
+    @wraps(method)
+    async def wrapper(self, *args, **kwargs):
+        return method(self, *args, **kwargs)
+
+    wrapper.__allow_unauthenticated = True
+
+    return cast(FuncT, wrapper)

jupyter_server/auth/login.py

@@ -9,6 +9,7 @@
 from tornado.escape import url_escape
 
 from ..base.handlers import JupyterHandler
+from .decorator import allow_unauthenticated
 from .security import passwd_check, set_password
 
 
@@ -73,6 +74,7 @@ def _redirect_safe(self, url, default=None):
                 url = default
         self.redirect(url)
 
+    @allow_unauthenticated
     def get(self):
         """Get the login form."""
         if self.current_user:
@@ -81,6 +83,7 @@ def get(self):
         else:
             self._render()
 
+    @allow_unauthenticated
     def post(self):
         """Post a login."""
         user = self.current_user = self.identity_provider.process_login_form(self)
@@ -110,6 +113,7 @@ def passwd_check(self, a, b):
         """Check a passwd."""
         return passwd_check(a, b)
 
+    @allow_unauthenticated
     def post(self):
         """Post a login form."""
         typed_password = self.get_argument("password", default="")

jupyter_server/base/handlers.py

@@ -630,6 +630,16 @@ async def prepare(self) -> Awaitable[None] | None:  # type:ignore[override]
         self.set_cors_headers()
         if self.request.method not in {"GET", "HEAD", "OPTIONS"}:
             self.check_xsrf_cookie()
+
+        if not self.settings.get("allow_unauthenticated_access", False):
+            if not self.request.method:
+                raise HTTPError(403)
+            method = getattr(self, self.request.method.lower())
+            if not getattr(method, "__allow_unauthenticated", False):
+                # reuse `web.authenticated` logic, which redirects to the login
+                # page on GET and HEAD and otherwise raises 403
+                return web.authenticated(lambda _method: None)(self)
+
         return super().prepare()
 
     # ---------------------------------------------------------------

jupyter_server/serverapp.py

@@ -1214,6 +1214,21 @@ def _deprecated_password_config(self, change: t.Any) -> None:
         """,
     )
 
+    allow_unauthenticated_access = Bool(
+        True,
+        config=True,
+        help="""Allow requests unauthenticated access to endpoints without authentication rules.
+
+        When set to `True` (default in jupyter-server 2.0, subject to change
+        in the future), any request to an endpoint without an authentication rule
+        (either `@tornado.web.authenticated`, or `@allow_unauthenticated`)
+        will be permitted, regardless of whether user has logged in or not.
+
+        When set to `False`, logging in will be required for access to each endpoint,
+        excluding the endpoints marked with `@allow_unauthenticated` decorator.
+        """,
+    )
+
     allow_remote_access = Bool(
         config=True,
         help="""Allow requests where the Host header doesn't point to a local server