Description
Problem
I tried to add a kind of revocation of user acces via calling the hub-endpoint:
PATCH http://{{hub-host}}/hub/api/shares/{{username}}/
Content-Type: application/json
{
"user": "{{other_user}}"
}(authenticates with the hub-login-cookie)
The basic problem is, that the ydoc connection is never cancelled to that user.
Until the jupyterhub-{{lab-server-name}} cookie expires (or the hub-login?), that connection also can even still be reestablished, even on page reload.
On page reload, it anyhow needs some time, until the the hub-login has to be refreshed, then one cannot acces the shared server anymore. That is nice.
I wonder, why the lab itself should not handle revoke connections too, maybe by slow polling existing shares in some interval, if the user still has access. And because there is no such mechanism, the ydoc connection will allow loading and editing any document, as long as it stays open. So once a server is shared and one gets access, the sharing person cannot really revoke access anymore.
Proposed Solution
-
Every 5 seconds, the Lab should query the Hub to verify if the users in the YDoc room are still authorized.
-
If the doc-server maintains a more robust awareness of active users and their permissions, the collaborators menu and access controls can become more reliable and responsive.
Additional context
Environment Setup:
- JupyterHub Version: 5.2.1 (OAuth-connected)
- JupyterLab Version: jupyterlab-4.4.0a2
- Jupyter Collaboration Extension: 3.1.0 (also with latest main branch)
