Bug description
In the JupyterHub config, I enforce a username pattern using c.Authenticator.username_pattern = r'user_.+'.
Thus, trying to log in with an invalid user name, e.g., paul, results in displaying the error message "Invalid username or password".
However, the username and the password are stored in the database.
Expected behaviour
If the username is invalid, I expect that the credentials are not stored in the database.
Actual behaviour
The username and hashed password are stored in the database.
How to reproduce
- Set up a JupyterHub instance using FirstUseAuthenticator and a RegEx for usernames.
- Try to log in with an invalid username.
- The log-in fails but running the command
strings passwords.dbm.db reveals that the invalid username gets saved.
Your personal set up
- OS: ubuntu 20.04
- Version(s):
- JupyterHub: 3.1.0
- Python: 3.10
Full environment
alembic @ file:///tmp/wheelhouse/alembic-1.8.1-py3-none-any.whl
async-generator @ file:///tmp/wheelhouse/async_generator-1.10-py3-none-any.whl
attrs @ file:///tmp/wheelhouse/attrs-22.1.0-py2.py3-none-any.whl
bcrypt==4.0.1
certifi @ file:///tmp/wheelhouse/certifi-2022.9.24-py3-none-any.whl
certipy @ file:///tmp/wheelhouse/certipy-0.1.3-py3-none-any.whl
cffi @ file:///tmp/wheelhouse/cffi-1.15.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
charset-normalizer @ file:///tmp/wheelhouse/charset_normalizer-2.1.1-py3-none-any.whl
cryptography @ file:///tmp/wheelhouse/cryptography-38.0.4-cp36-abi3-manylinux_2_28_x86_64.whl
docker==6.0.1
dockerspawner==12.1.0
escapism==1.0.1
greenlet @ file:///tmp/wheelhouse/greenlet-2.0.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
gyp==0.1
idna @ file:///tmp/wheelhouse/idna-3.4-py3-none-any.whl
Jinja2 @ file:///tmp/wheelhouse/Jinja2-3.1.2-py3-none-any.whl
jsonschema @ file:///tmp/wheelhouse/jsonschema-4.17.3-py3-none-any.whl
jupyter-telemetry @ file:///tmp/wheelhouse/jupyter_telemetry-0.1.0-py3-none-any.whl
jupyterhub @ file:///tmp/wheelhouse/jupyterhub-3.1.0-py3-none-any.whl
jupyterhub-firstuseauthenticator==1.0.0
jupyterhub-idle-culler==1.2.1
Mako @ file:///tmp/wheelhouse/Mako-1.2.4-py3-none-any.whl
MarkupSafe @ file:///tmp/wheelhouse/MarkupSafe-2.1.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
oauthlib @ file:///tmp/wheelhouse/oauthlib-3.2.2-py3-none-any.whl
packaging @ file:///tmp/wheelhouse/packaging-21.3-py3-none-any.whl
pamela @ file:///tmp/wheelhouse/pamela-1.0.0-py2.py3-none-any.whl
prometheus-client @ file:///tmp/wheelhouse/prometheus_client-0.15.0-py3-none-any.whl
pycparser @ file:///tmp/wheelhouse/pycparser-2.21-py2.py3-none-any.whl
pycurl==7.44.1
pyOpenSSL @ file:///tmp/wheelhouse/pyOpenSSL-22.1.0-py3-none-any.whl
pyparsing @ file:///tmp/wheelhouse/pyparsing-3.0.9-py3-none-any.whl
pyrsistent @ file:///tmp/wheelhouse/pyrsistent-0.19.2-py3-none-any.whl
python-dateutil @ file:///tmp/wheelhouse/python_dateutil-2.8.2-py2.py3-none-any.whl
python-json-logger @ file:///tmp/wheelhouse/python_json_logger-2.0.4-py3-none-any.whl
requests @ file:///tmp/wheelhouse/requests-2.28.1-py3-none-any.whl
ruamel.yaml @ file:///tmp/wheelhouse/ruamel.yaml-0.17.21-py3-none-any.whl
ruamel.yaml.clib @ file:///tmp/wheelhouse/ruamel.yaml.clib-0.2.7-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.manylinux_2_24_x86_64.whl
six @ file:///tmp/wheelhouse/six-1.16.0-py2.py3-none-any.whl
SQLAlchemy @ file:///tmp/wheelhouse/SQLAlchemy-1.4.44-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
tornado @ file:///tmp/wheelhouse/tornado-6.2-cp37-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
traitlets @ file:///tmp/wheelhouse/traitlets-5.6.0-py3-none-any.whl
urllib3 @ file:///tmp/wheelhouse/urllib3-1.26.13-py2.py3-none-any.whl
websocket-client==1.4.2
wget==3.2
# paste output of `pip freeze` or `conda list` here
Configuration
c = get_config()
c.JupyterHub.authenticator_class = 'firstuseauthenticator.FirstUseAuthenticator'
c.FirstUseAuthenticator.min_password_length = 4
c.Authenticator.username_pattern = r'user_.+'
# debug-logging for testing
import logging
c.JupyterHub.log_level = logging.DEBUG
Logs
[W 2023-08-21 16:32:32.370 JupyterHub base:825] Failed login for paul
I 2023-08-21 16:32:32.373 JupyterHub log:186] 200 POST /hub/login?next=%2Fhub%2F 307.96ms
Bug description
In the JupyterHub config, I enforce a username pattern using
c.Authenticator.username_pattern = r'user_.+'.Thus, trying to log in with an invalid user name, e.g., paul, results in displaying the error message "Invalid username or password".
However, the username and the password are stored in the database.
Expected behaviour
If the username is invalid, I expect that the credentials are not stored in the database.
Actual behaviour
The username and hashed password are stored in the database.
How to reproduce
strings passwords.dbm.dbreveals that the invalid username gets saved.Your personal set up
Full environment
Configuration
Logs