403 error _xsrf missing from POST

[SimonBiggs]

Hi Amit,

Love your work :). Just wanted to give a heads up. Currently trying to set up GitPlus within our environment here.

I ran the following steps as per the readme:

pip install --upgrade jupyterlab_gitplus
jupyter labextension install @reviewnb/jupyterlab_gitplus
jupyter serverextension enable --py jupyterlab_gitplus

as well as updating the config file as detailed below:

The error message within the jupyterlab server terminal is the following:

[W 01:44:05.261 LabApp] 403 POST /gitplus/modified_repo (127.0.0.1): '_xsrf' argument missing from POST                                                               [W 01:44:05.323 LabApp] 403 POST /gitplus/modified_repo (127.0.0.1) 63.00ms referer=http://lab.physics-server/lab?   

I'm more than happy to provide more debugging info. Thanks for building this.

Cheers,
Simon

[SimonBiggs]

If it helps I have also had similar issues with an extension I wrote a while ago:

SimonBiggs/scriptedforms#101
SimonBiggs/scriptedforms#57

[amit1rrr]

Love your work :).

Thanks @SimonBiggs :)

'_xsrf' argument missing from POST

Reading a few answers on stakcoverflow it seems like this happens when Jupyter notebook browser tab is idle for too long. Can you try refreshing browser tab? If that fails, try restarting Jupyter once just to be sure. Also, when this error happens with GitPlus can you do normal Jupyter server operation such as saving a notebook?

Another possibility is - You have 3 local_hostnames in the config. Is it possible that the browser tab is using one hostname and server APIs are on a different hostname? This could cause _xsrf error I believe. To eliminate this, can you try accessing Jupyter on the same endpoint that is printed on console when you start Jupyter.

These above experiments would help me understand the issue better. Thanks.

[SimonBiggs]

To add to that, I had the same issue on a completely different computer (still Windows 10) just using the default localhost host name and configuration. I'll see if the issue is repeatable on my home Linux machine.

[SimonBiggs]

And unfortunately the idle tab isn't the solution I opened it immediately after boot, and also tried incognito mode. All had the same issue.

[amit1rrr]

I just came across this article. It mentions,

The use of the xsrf token affects existing extensions / etc. that work directly with the notebook server via REST API. To make requests to the rest API, the _xsrf cookie must be sent back to the server in the X-XSRF-Token header of API requests

Just saw that JupyterLab is also adding _xsrf header.

I will figure out a way to incorporate this in GitPlus and release an update. Stay tuned.

Sorry for the inconvenience. This issue went undetected because it never occurred in my testing (maybe because I am using the same endpoint 127.0.0.1 everywhere or my xsrf config is disabled.)

[amit1rrr]

Meanwhile you can try out the extension by disabling xsrf. I wouldn't recommend it as a solution but just temporary workaround until I release a proper fix.

[SimonBiggs]

No inconvenience, no need to be sorry :). Glad the tool is being made, will look forward to rolling it out at our centre at work.

It meets quite a need, I have a centre wide hosted JupyterLab server, which is also under got version control. Helping people to create pull requests within JupyterLab as you are enabling it will massively help in the adoption of using got version as the standard.

[amit1rrr]

@SimonBiggs The fix for CORS issue is now released in version 0.1.3

Please upgrade your extension with,
jupyter labextension install @reviewnb/jupyterlab_gitplus

You can verify the version with,
jupyter labextension list

Feel free to reopen the issue if you face any problems.