I have done simple local tests and I see that all the POST requests to nbgrader API have _xsrf, JupyterHub hub session cookie and nbgrader service cookie set and all the requests are passing. Moreover looking at nbgrader sources, they are overriding Backbone.sync to set the CSRF token header by reading _xsrf cookie on the request.
Probably httpOnly flag is prevent the client side js to access the _xsrf cookie as you predicted. You can test it by accessing JupyterHub directly from its ClusterIP (bypassing ingress) from a browser and check if nbgrader API calls contain the _xsrf cookie.
Thanks. I agree.
We run jupyterhub on a server. Assuming that the cluster IP of proxy_public on the server is ip_2, do you know how I can access that in my browser?
Yes, if SSH port forwarding is allowed on the server, you can do something like this:
ssh -L 8000:<ClusterIP>:<port> <server>
and on your local machine, you can access the service using http://localhost:8000 in the browser. If port forwarding is not allowed on your server, maybe you can install chromium on the remote server and using X server option on SSH access the remote browser locally on your machine.
Thanks. I got new update from our IT dept. they are using a proxy manager that enforces httponly to all cookies.
when I do the port forwarding, the httponly flag is no longer there.
But there is another issue: authentication.
the authentication is currently using LTI which doesn’t work with local host. Is there a way to skip the authentication (or have simple user/pass auth) if the user directly hits the public_proxy endpoint?
Thanks, Is it possible to have two separate authentication methods simultaneously? So that the course admins can use the second authentication method while other users use lti?
Unfortunately no! Not out-of-the-box at least. If the JupyterHub is in production and you cannot change Authenticator, you can try installing a browser on the server and access that browser using ssh -X <server>. If not, simply deploy another instance of JupyterHub on k8s in a different namespace for testing so that can use a different Authenticator
