Rename jhub-apps access_token cookie to be explicit

[aktech]

Reference Issues or PRs

At the moment the name of the cookie is access_token, which is a very generic name. It would be better to prefix it with the app it belongs to, so as to avoid confusion while development.

What does this implement/fix?

Put a x in the boxes that apply

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds a feature)
• Breaking change (fix or feature that would cause existing features not to work as expected)
• Documentation Update
• Code style update (formatting, renaming)
• Refactoring (no functional changes, no API changes)
• Build related changes
• Other (please describe):

Testing

• Did you test the pull request locally?
• Did you add new tests?

Documentation

Access-centered content checklist

Text styling

• The content is written with plain language (where relevant).
• If there are headers, they use the proper header tags (with only one level-one header: H1 or # in markdown).
• All links describe where they link to (for example, check the Nebari website).
• This content adheres to the Nebari style guides.

Non-text content

• All content is represented as text (for example, images need alt text, and videos need captions or descriptive transcripts).
• If there are emojis, there are not more than three in a row.
• Don't use flashing GIFs or videos.
• If the content were to be read as plain text, it still makes sense, and no information is missing.

Any other comments?

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
jhub-apps	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Sep 4, 2024 0:42am
jhub-apps-docs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Sep 4, 2024 0:42am

[krassowski]

This is really good, thank you! Just one question: do we need to keep reading the old cookie for one release cycle just in case to reduce disruption to existing users?

[krassowski]

What do you think about:

Suggested change

	auth_by_cookie = APIKeyCookie(name=JHUB_APPS_AUTH_COOKIE_NAME)
	auth_by_cookie = APIKeyCookie(name=JHUB_APPS_AUTH_COOKIE_NAME)
	auth_by_cookie_deprecated = APIKeyCookie(name="access_token") # will be removed in next version

And adding or auth_by_cookie_deprecated in line 48?

[pmeier]

In general I'm in favor of not disrupting user workflow. However this would only shift the disruption to a later date unless the user gets warned or notified in some way that they depend on deprecated behavior.

[krassowski]

However this would only shift the disruption to a later date unless the user gets warned or notified in some way that they depend on deprecated behavior

the new cookie would be set once they log in using this version, and I think the cookies only have 7 days lifetime so think the proposed deprecation solution is fine; also the disruption would be minimal, probably just accepting the oauth screen which we are removing on nebari either way

[pmeier]

So we are only talking about the disruption of users needing to login again once? If so, I wouldn't bother with trying to read the old one. This is just minor inconvenience and for that we need to have another PR plus review.

[pmeier]

Thanks Amit! This cost me quite some time this morning until you realized that access_token was not coming from JupyterHub, but rather from here.

[pmeier]

I don't know if there is a BC policy in place, but this is BC breaking.

[pmeier]

Same here.