Fix bug in issue #1566 based on ideas in #1567.

This fixes a bug where changing the password still allowed
login by a previous cookie even if the server was restarted.

Author: emin63

jupyter_server/auth/identity.py

@@ -10,6 +10,7 @@
 
 import binascii
 import datetime
+import hashlib
 import json
 import os
 import re
@@ -610,6 +611,18 @@ def logout_available(self):
         """Whether a LogoutHandler is needed."""
         return True
 
+    def cookie_secret_hook(self, h: hashlib._Hash) -> hashlib._Hash:
+        """Update cookie secret input
+
+        Subclasses may call `h.update()` with any credentials that,
+        when changed, should invalidate existing cookies, such as a
+        password.
+
+        The updated hashlib object should be returned.
+
+        """
+        return h
+
 
 class PasswordIdentityProvider(IdentityProvider):
     """A password identity provider."""
@@ -740,6 +753,14 @@ def validate_security(
             self.log.critical(_i18n("\t$ python -m jupyter_server.auth password"))
             sys.exit(1)
 
+    def cookie_secret_hook(self, h: hashlib._Hash) -> hashlib._Hash:
+        """Include password in cookie secret.
+
+        This makes it so changing the password invalidates cookies.
+        """
+        h.update(self.hashed_password.encode())
+        return h
+
 
 class LegacyIdentityProvider(PasswordIdentityProvider):
     """Legacy IdentityProvider for use with custom LoginHandlers

jupyter_server/serverapp.py

@@ -1169,6 +1169,7 @@ def _default_cookie_secret(self) -> bytes:
             self._write_cookie_secret_file(key)
         h = hmac.new(key, digestmod=hashlib.sha256)
         h.update(self.password.encode())
+        h = self.identity_provider.cookie_secret_hook(h)
         return h.digest()
 
     def _write_cookie_secret_file(self, secret: bytes) -> None: