/user/* should be protected by the JupyterHub login.
Are you sure the incognito window created a completely new session? I’ve found that occasionally an incognito window can retain some old state, which means you’re still logged in to the OAuth provider.
Can you show us your full browser console network requests?
In your hub logs can you indicate (e.g. by timestamp ranges) which of those logs correspond to the original login and starting of the server, and which correspond to the requests from the incognito window that shouldn’t be allowed?
Can you also show the full set of requests for the incognito browser, starting from when you first open the incognito window?
Your screenshot looks like it’s running vs code. Can you share what the launch command inside the container is (it should be something lke jupyterhub-singleuser) and the logs from the pod?
Blockquote
extraConfig:
code_spawner.py: |
from kubespawner.spawner import KubeSpawner
from jupyterhub.spawner import _quote_safe
class CodeSpaceKubeSpawner(KubeSpawner):
def get_args(self):
"""Custom args function for the coder"""
# Turn off authentication (happens via jupyterhub)
args = ["--auth", "none"]
# Turn off telemetry
args += ["--disable-telemetry"]
# Set App Name
args += ["--app-name", "DnACodeSpace"]
# set port and ip if given
ip = "0.0.0.0"
if self.ip:
ip = _quote_safe(self.ip)
port = 8888
if self.port:
port = self.port
elif self.server and self.server.port:
self.log.warning(
"Setting port from user.server is deprecated as of JupyterHub 0.7."
)
port = self.server.port
args += ["--bind-addr", f"{ip}:{port}"]
# set startup folder
if self.notebook_dir:
notebook_dir = self.format_string(self.notebook_dir)
args += ["--user-data-dir", _quote_safe(notebook_dir)]
# if self.debug:
# args += ["-vvv"]
args.extend(self.args)
return args
def get_env(self):
env = super().get_env()
user_options_env = self.user_options.get("env", {})
env.update(user_options_env)
return env
# Use the configured spawner
c.JupyterHub.spawner_class = CodeSpaceKubeSpawner
code_settings.py: |
# The working dir is by default set to
# /home/coder in the VSCode image
c.CodeSpaceKubeSpawner.working_dir = "/home/coder"
# By default, the cmd includes the call to "jupyterhub-singleserver"
# However, the docker image already comes with the correct
# VSCode command to call, so we just set it to an empty string here
c.CodeSpaceKubeSpawner.cmd = ""
# Dynamically Get the set_resource capacity from the user options or set default values
def set_resource(spawner):
# user_storage_capacity = spawner.storage_capacity
# user_pvc_name = spawner.pvc_name
spawner.storage_capacity = spawner.user_options.get("storage_capacity", "1Gi")
spawner.mem_guarantee = spawner.user_options.get("mem_guarantee", "256M")
spawner.mem_limit = spawner.user_options.get("mem_limit", "4G")
spawner.cpu_limit = spawner.user_options.get("cpu_limit", 3)
spawner.cpu_guarantee = spawner.user_options.get("cpu_guarantee", 0.2)
# expand_pvc_command = f'kubectl patch pvc {user_pvc_name} -p \'{{"spec":{{"resources":{{"requests":{{"storage":"{user_storage_capacity}"}}}}}}}}\''
# os.system(expand_pvc_command)
c.CodeSpaceKubeSpawner.pre_spawn_hook = set_resource
c.CodeSpaceKubeSpawner.extra_container_config = {
'livenessProbe': {
'httpGet': {
'path': '/healthz',
'port': 'notebook-port',
'scheme': 'HTTP'
},
'initialDelaySeconds': 30,
'periodSeconds': 60,
'timeoutSeconds': 5,
'successThreshold': 1,
'failureThreshold': 5
}
}
code_settings.py: |
//comments
The working dir is by default set to
/home/coder in the VSCode image
c.CodeSpaceKubeSpawner.working_dir = “/home/coder”
By default, the cmd includes the call to “jupyterhub-singleserver”
However, the docker image already comes with the correct
VSCode command to call, so we just set it to an empty string here
//end of commands c.CodeSpaceKubeSpawner.cmd = “”
I believe this is disabling auth altogether. This is not an argument understood by jupyterhub-singleuser, which means your launch command is presumably launching vscode directly without any auth enabled.
The singleuser command is responsible for implementing authentication, so if you launch a command with no auth enabled, there will be no auth protecting your servers.
If you want to rely in the default jupyterhub authentication, you can put your command behind jupyter-server-proxy.
@minrk thanks a lot i will have look these docs.
Yes you are right i’m lunching the vscode directly. auth --none is the cmd for vs code im passing for startup
As @minrk suggested, using jupyter-server-proxy is a better way to do it. Both code-server and jupyter-server-proxy supports unix sockets so that you can disabled password based auth and use unix sockets to securely provide VSCode to your users. Here is an example of entry point to jupyter-server-proxy for code-server