^htSrSSKJr SSKrSSKrSSKrSSKrSSKrSSKrSSK r SSK r SSK J r Jr SSKJr SSKJrJrJr SSKJrJrJrJrJrJrJrJrJr SSKJ r SS K!J"r" S S K#J$r$J%r% S S K&J'r' \RP"S 5r)\ RTSr+\"SS55r,SSjr-"SS\ 5r."SS\.5r/"SS\/5r0g)zIdentity Provider interface This defines the _authentication_ layer of Jupyter Server, to be used in combination with Authorizer for _authorization_. .. versionadded:: 2.0 ) annotationsN)asdict dataclass)Morsel)escapehttputilweb) BoolDictEnumList TraitErrorTypeUnicodedefaultvalidate)LoggingConfigurable)_i18n) passwd_check set_password)get_anonymous_usernamez [^A-Za-z0-9]name display_nameinitials avatar_urlcolorcv\rSrSr%SrS\S'SrS\S'SrS\S'SrS \S 'Sr S \S 'Sr S \S 'S r Sr Sr g)User&zaObject representing a User This or a subclass should be returned from IdentityProvider.get_user strusernamerrN str | Nonerrrc$UR5 gN) fill_defaultsselfs V/home/james-whalen/.local/lib/python3.13/site-packages/jupyter_server/auth/identity.py __post_init__User.__post_init__>s cUR(dSU3n[U5eUR(dURUlUR(dURUlgg)zFill out default fields in the identity model - Ensures all values are defined - Fills out derivative values for name fields fields - Fills out null values for optional fields z!user.username must not be empty: N)r# ValueErrorrr)r*msgs r+r(User.fill_defaultsAsO}}5dV&> ! $H:.o  ,'z2CS/t + ,s / B B&c n\rSrSr%Sr\"SS\"S5S9rS\S'\ "S\"S 5S9r \ "S SS\"S 5S 9r S \S'\ "S\"S5S9r \"S\"S5S9RSS9rS\S'\"S\R$S\"S5S9r\"S\R$S\"S5S9r\"\"\"\R2"\555S/S\"S5S9rSr\"S5S5r\"S5S 5r \ "S5r!S!\S"'S>S#jr"S?S$jr#S@S%jr$SAS&jr%SBS'jr&SCS(jr'SDS)jr(SES*jr)SFS+jr*SGS,jr+SHS-jr,SIS.jr-SJSKS/jjr.SCS0jr/S>S1jr0\1Rd"S2\1Rf5r4SLS3jr5S?S4jr6SMS5jr7SNS6jr8SNS7jr9SOSPS8jjr:S?S9jr;\\aToken used for authenticating first-time connections to the server. The token can be read from the file referenced by JUPYTER_TOKEN_FILE or set directly with the JUPYTER_TOKEN environment variable. When no password is enabled, the default is to generate a new, random token. Setting to an empty string disables authentication altogether, which is NOT RECOMMENDED. Prior to 2.0: configured as ServerApp.token )rI)rHtokenz*jupyter_server.auth.login.LoginFormHandlerz'The login handler class to use, if any.) default_valueklassrHrIz(jupyter_server.auth.logout.LogoutHandlerz The logout handler class to use.rz5List of fields in the User model that can be updated.)traitrNrHrIFc[R"S5(aSUl[RS$[R"S5(a=SUl[ [RS5nUR 5sSSS5 $UR (dSUlgSUl[R"[R"S55RS5$!,(df  Ng=f)N JUPYTER_TOKENFJUPYTER_TOKEN_FILEr$Tascii) osgetenvtoken_generatedenvironopenread need_tokenbinasciihexlifyurandomdecode)r* token_files r+_token_defaultIdentityProvider._token_defaults 99_ % %#(D ::o. . 99) * *#(D bjj!567:!(87#(D #'D ##BJJrN3::7C C87s 4C'' C5updatable_fieldsc[[R"[55nUSVs/sH o3U;dM UPM nnU(aSU3n[ U5eUS$s snf)z7Validate that all fields in updatable_fields are valid.valuez$Invalid fields in updatable_fields: )listtget_argsUpdatableFieldr)r*proposalvalid_updatable_fieldsrBinvalid_fieldsr1s r+_validate_updatable_fields+IdentityProvider._validate_updatable_fieldssl"&ajj&@!A'0 0eAW4WE0   88HICS/ !   s AAz%bool | Bool[bool, t.Union[bool, int]]r\c$URU5$)zGet the authenticated user for a request Must return a :class:`jupyter_server.auth.User`, though it may be a subclass. Return None if the request is not authenticated. _may_ be a coroutine ) _get_userr*handlers r+get_userIdentityProvider.get_users~~g&&r.c# [USS5(a%[R"[UR5$UR U5n[ U[R5(a UIShvN nUnURU5n[ U[R5(a UIShvN nUnU=(d UnUb UbXe:waURX5 SUl UcURU5nURU5nUb/URRSU35 URU5 UR (d"UR#U5nURX5 U$NN7f) Get the user._jupyter_current_userNTz&Clearing invalid/expired login cookie )getattrrhcastr rxget_user_tokenr< Awaitableget_user_cookieset_login_cookie_token_authenticatedget_cookie_name get_cookielogwarningclear_login_cookie auth_enabledgenerate_anonymous_user) r*rs _token_user token_user _cookie_user cookie_useruserrJcookies r+rqIdentityProvider._get_usersP 73T : :66$ = => >>B>Q>QRY>Z k1;; / / ++K"- ++G4 lAKK 0 0!--L#/ ([   6"%%g4,0G ( <..w7K'' 4F!  #I+!WX''0$$33G<%%g4 I,.s%A-E0/E,0;E0+E.,CE0.E0cURU5 [R"[UR5nUR X25nUR U5 U$)z3Update user information and persist the user model.) check_updaterhrzr current_userupdate_user_modelpersist_user_model)r*rs user_datar updated_users r+ update_userIdentityProvider.update_user(sL )$vvdG$8$89 --lF  (r.cVUH#nX R;dMSUS3n[U5e g)z2Raises if some fields to update are not updatable.zField z is not updatableN)rdr0)r*rrBr1s r+rIdentityProvider.check_update2s1E111ug%67 o%r.c[ezUpdate user information.NotImplementedError)r*rrs r+r"IdentityProvider.update_user_model9!!r.c[e)z'Persist the user model (i.e. a cookie).rrrs r+r#IdentityProvider.persist_user_model=rr.c[U5$)z"Return a User as an Identity model)r)r*rs r+identity_modelIdentityProvider.identity_modelAsd|r.c/nUR(aURSUR45 UR(aURSUR45 U$)zgReturn list of additional handlers for this identity provider For example, an OAuth callback handler. z/loginz/logout)login_availableappendlogin_handler_classlogout_availablelogout_handler_class)r*handlerss r+ get_handlersIdentityProvider.get_handlersFsN     OOY(@(@A B  OOZ)B)BC Dr.c[R"URURURUR UR S.5nU$)zSerialize a user to a string for storage in a cookie If overriding in a subclass, make sure to define user_from_cookie as well. Default is just the user's username. )r#rrrr)jsondumpsr#rrrr)r*rrs r+user_to_cookieIdentityProvider.user_to_cookieRsC MM $ 1 1 MM    r.c l[R"U5n[USUSUSUSSUS5$)zInverse of user_to_cookier#rrrNr)rloadsr )r* cookie_valuers r+user_from_cookie!IdentityProvider.user_from_cookieesFzz,'   L     M   r.cUR(a UR$[RSSURR35$)zReturn the login cookie name Uses IdentityProvider.cookie_name, if defined. Default is to generate a string taking host into account to avoid collisions for multiple servers on one hostname with different ports. -z username-)rJ _non_alphanumsubrequesthostrrs r+r IdentityProvider.get_cookie_nameqs>   ## # $$SIgoo6J6J5K*LM Mr.c0nURUR5 URSS5 URnUcURR S:HnU(aURSS5 URSUR 5 URU5nUR"XPRU540UD6 g)z9Call this on handlers to set the login cookie for successhttponlyTNhttpssecurepath) updatecookie_options setdefaultrLrprotocolbase_urlrset_secure_cookier)r*rsrrrLrJs r+r~!IdentityProvider.set_login_cookie}sd112!!*d3**  #OO44?M   % %h 5!!&'*:*:;**73 !!+/B/B4/H[N[r.c[R"U5n[RR[RR S9[R "SS9- n[5nURUSS5 [R"U5US'X6S'U(aXFS'URS UR55 g ) aIDeletes the cookie with the given name. Tornado's cookie handling currently (Jan 2018) stores cookies in a dict keyed by name, so it can only modify one cookie with a given name per response. The browser can store multiple cookies with the same name but different domains and/or paths. This method lets us clear multiple cookies with the same name. Due to limitations of the cookie protocol, you must pass the same path and domain to clear a cookie as were used when that cookie was set (but there is no way to find out on the server side which values were used for a given cookie). )tzim)daysr$z""expiresrdomainz Set-CookieN) r native_strdatetimenowtimezoneutc timedeltarsetrformat_timestamp add_header OutputString)r*rsrrrrmorsels r+_force_clear_cookie$IdentityProvider._force_clear_cookies   &##''8+<+<+@+@'AHDVDV\_D`` & 4T"$55g>yv %8 <)<)<)>?r.c0nURUR5 URSUR5nUR U5nUR XCS9 U(aUS:waUR X5 ggg)z - in header: Authorization: token rMr$ Authorization) get_argumentauth_header_patmatchrheadersgetgroup)r*rs user_tokenms r+ get_tokenIdentityProvider.get_tokens]))'26 $$**7??+B+B+F+FXZ+[\AWWQZ r.c# [R"SUR5nU(dgURU5nSnX2:Xa2URR SUR R5 SnU(aRURU5n[U[R5(a UIShvN nUnUcURU5nU$gN7f)zvIdentify the user based on a token in the URL or Authorization header Returns: - uuid if authenticated - None if not r%NFz-Accepting token-authenticated request from %sT) rhrzrMrrrr remote_ipr}r<r|r)r*rsrMr authenticated_userrs r+r{IdentityProvider.get_user_tokens|W]]3^^G,    HHNN?)) !M ((1E%--#  %D|33G<K $sB0C2C3Cc[R"5Rn[5nSU3=pESUS3nSnURR SU35 [ X$XVSU5$)zmGenerate a random anonymous user. For use when a single shared token is used, but does not identify a user. z Anonymous ArNz5Generating new user for token-authenticated request: )uuiduuid4hexrrrr )r*rsuser_idmoonrrrrs r+r(IdentityProvider.generate_anonymous_usersm **,""%' *4&11tAwi= QRYQZ[\G<4GGr.c.URU5(+$)a Should the Handler check for CORS origin validation? Origin check should be skipped for token-authenticated requests. Returns: - True, if Handler must check for valid CORS origin. - False, if Handler should skip origin check since requests are token-authenticated. )is_token_authenticatedrrs r+should_check_origin$IdentityProvider.should_check_origins..w777r.c4UR [USS5$)zReturns True if handler has been token authenticated. Otherwise, False. Login with a token is used to signal certain things, such as: - permit access to REST API - xsrf protection - skip origin-checks for scripts rF)rryrrs r+r'IdentityProvider.is_token_authenticateds w 6>>r.c(UR(dTSnUcURRUS35 UR(dURRUS35 ggUR(dURRS5 gg)znCheck the application's security. Show messages, or abort if necessary, based on the security configuration. z $  A  .5    .  cc! *$B   < =  @   5 6 4 >234i J K O WDD  ! !" !9=T J5B '+Z)6O &"" &   N\"]a@)@14@+r.c:URXR5 g)z#Persist the user model to a cookie.N)r~rrrs r+r+PasswordIdentityProvider.persist_user_models g';';[TU]X5 UR(aUR(dURR [ S55 URR [ S55 URR [ S55 [R"S5 ggg)zHandle security validation.>Jupyter servers are configured to only be run with a password.1Hint: run the following command to set a password) $ python -m jupyter_server.auth passwordrN) superrpassword_requiredr8rcriticalrsysexit)r*r r __class__s r+r*PasswordIdentityProvider.validate_securitys !#3  ! !4+?+? HH  VW  HH  e$WX Y HH  e$PQ R HHQK ,@ !r.)r8r$r,r)r*r%r'r-)r3r4r5r6r7rrr8r rYrNrr9r<r4rrrrrrrr9 __classcell__)r]s@r+r6r6fs'     O       !       \..   ! !!88=<604   -    r.r6c\rSrSrSr\"5r\"S5S5r\"S5S5r \ S5r SSjr \ SS j5r SS jrSS jrSSS jjrSrg )LegacyIdentityProviderizLegacy IdentityProvider for use with custom LoginHandlers Login configuration has moved from LoginHandler to IdentityProvider in Jupyter Server 2.0. rOc4URURS.$)N)rMr)rMr8r)s r+_default_settings(LegacyIdentityProvider._default_settingssZZ,,  r.rcSSKJn U$)Nr)LegacyLoginHandler)loginrg)r*rgs r+_default_login_handler_class3LegacyIdentityProvider._default_login_handler_classs -!!r.cUR$r')rr)s r+r#LegacyIdentityProvider.auth_enableds###r.cVURRU5nUcg[U5$)rwN)rrtrC)r*rsrs r+rtLegacyIdentityProvider.get_users+''009 <$T**r.c^[URRUR55$r')r,rget_login_availablerOr)s r+r&LegacyIdentityProvider.login_available s*  $ $ 8 8    r.cJ[URRU55$)zWhether we should check origin.)r,rrrrs r+r*LegacyIdentityProvider.should_check_originsD,,@@IJJr.cJ[URRU55$)z#Whether we are token authenticated.)r,rrrrs r+r-LegacyIdentityProvider.is_token_authenticatedsD,,CCGLMMr.NcUR(aUR(dURR[ S55 URR[ S55 URR[ S55 [ R "S5 URRX5 g)zValidate security.rUrVrWrN) rYr8rrZrr[r\rr)r*r rs r+r(LegacyIdentityProvider.validate_securitys  ! !4+?+? HH  VW  HH  e$WX Y HH  e$PQ R HHQK   22  r.r:r%r_r+r'r-)r3r4r5r6r7r rOrrdrir4rrtrrrrr9r:r.r+rbrbsvH Z   "#"$" $$+  KN04  -     r.rb)r@r.r$r )1r7 __future__rr]rrrVr1r[typingrhr dataclassesrr http.cookiesrtornadorrr traitletsr r r r rrrrrtraitlets.configrjupyter_server.transutilsrsecurityrrutilsrr2rLiteralrjr rCrEr6rbr:r.r+rs#  )))ZZZ0+0) ?+ TU +*+* +*\:q*qh/DA 5A r.