From 31f53c6ede4a670dd1b0a52b3ad4cfc680ec6f50 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Mon, 25 Apr 2022 13:31:37 +0200
Subject: [PATCH] check_xsrf_cookie after authentication

now that get_user is async, we have to re-run the check in prepare
---
 jupyter_server/base/handlers.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/jupyter_server/base/handlers.py b/jupyter_server/base/handlers.py
index 9c95898b6..5605cfe75 100644
--- a/jupyter_server/base/handlers.py
+++ b/jupyter_server/base/handlers.py
@@ -506,6 +506,9 @@ def check_referer(self):
 
     def check_xsrf_cookie(self):
         """Bypass xsrf cookie checks when token-authenticated"""
+        if not hasattr(self, "_jupyter_user"):
+            # Called too early, will be checked later
+            return
         if self.token_authenticated or self.settings.get("disable_check_xsrf", False):
             # Token-authenticated requests do not need additional XSRF-check
             # Servers without authentication are vulnerable to XSRF
@@ -593,8 +596,11 @@ async def prepare(self):
 
         # self.current_user for tornado's @web.authenticated
         # self._jupyter_user for backward-compat in deprecated get_current_user calls
+        # and our own private checks for whether .current_user has been set
         self.current_user = self._jupyter_user = user
+        # complete initial steps which require auth to resolve first:
         self.set_cors_headers()
+        self.check_xsrf_cookie()
         return super().prepare()
 
     # ---------------------------------------------------------------