#IDP-41 - Add UploadDataDialog and implement flow

applications/idp-arc/deploy/resources/default.conf

@@ -1,9 +1,77 @@
+# When the frontend passes accessToken as a URL param (cross-domain cookie
+# writes are blocked by browsers), Nginx injects it as a Cookie header in
+# the forwarded request so chkclogin can read it.
+#
+# Two-case map: if the URL has accessToken, use only that cookie (browser has
+# no JupyterHub cookies yet at this point anyway); otherwise forward the
+# browser's existing cookies unchanged (for polling and upload requests).
+# Extract the _xsrf cookie value so JavaScript can read it as X-XSRF-Token.
+# The browser may carry multiple _xsrf cookies (hub token at /jupyter-proxy/hub/
+# and user-server token at /). The greedy .* captures the LAST occurrence, which
+# is always the user-server's token — the one JupyterLab actually validates.
+map $http_cookie $xsrf_val {
+  "~.*_xsrf=([^;]+)" $1;
+  default            "";
+}
+
+map $arg_accessToken $proxy_cookie {
+  ""      $http_cookie;
+  default "accessToken=$arg_accessToken";
+}
+
 server {
   listen 8080;
 
   root /usr/share/nginx/html;
   index index.html;
 
+  # JupyterHub reverse proxy.
+  # Bridges the cross-domain cookie restriction: browser cannot set cookies for
+  # lab.v2dev.opensourcebrain.org from a different origin, but Nginx can inject
+  # them server-side.  Set-Cookie domains are rewritten so session cookies are
+  # stored for this host and carried on subsequent polling / upload requests.
+  location /jupyter-proxy/ {
+    client_max_body_size 500m;
+    # Expose the _xsrf cookie value so JavaScript can use it as X-XSRFToken.
+    add_header X-XSRF-Token $xsrf_val always;
+    proxy_pass https://lab.v2dev.opensourcebrain.org/;
+    proxy_http_version 1.1;
+
+    proxy_set_header Host lab.v2dev.opensourcebrain.org;
+    proxy_set_header Cookie $proxy_cookie;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+    proxy_ssl_server_name on;
+
+    # Rewrite Set-Cookie so the browser stores session cookies for this host.
+    proxy_cookie_domain lab.v2dev.opensourcebrain.org $host;
+    # Rewrite cookie Path so session cookies reach both /hub and /user endpoints.
+    #
+    # JupyterHub sets the auth session cookie with Path=/hub (hub.base_url).
+    # After prefixing to /jupyter-proxy/hub it would NOT be sent to
+    # /jupyter-proxy/user/… — causing 403 on the Contents API.
+    # Fix: expand any hub-scoped path to the full proxy root so the cookie is
+    # sent for ALL /jupyter-proxy/… requests.
+    # NOTE: hub cookies (incl. hub-side _xsrf) also reach /user/… this way; the
+    # Nginx map uses a greedy .* to select the LAST _xsrf in the Cookie header,
+    # which is always the user-server's token that JupyterLab validates against.
+    #
+    # Directive 1: /hub or /hub/… → /jupyter-proxy/ (hub cookies go everywhere)
+    proxy_cookie_path ~^/hub(/.*)?$ /jupyter-proxy/;
+    # Directive 2: everything else (user-server paths like /user/...) → Path=/
+    # Mapping to root makes these cookies (including _xsrf set by JupyterLab)
+    # sent to all /jupyter-proxy/… requests (poll + upload).
+    proxy_cookie_path ~^/(?!hub|jupyter-proxy)(.*) /;
+
+    # Rewrite Location redirect headers to keep subsequent requests in the proxy.
+    # Use explicit https://$host to avoid Nginx constructing an http://:8080 URL
+    # (which would be blocked as mixed content when the page is served over HTTPS).
+    proxy_redirect https://lab.v2dev.opensourcebrain.org/ https://$host/jupyter-proxy/;
+    proxy_redirect / https://$host/jupyter-proxy/;
+  }
+
   location / {
     try_files $uri $uri/ /index.html;
   }

applications/idp-arc/frontend/src/app/container.ts

@@ -30,7 +30,7 @@ const WWW_BASE       = import.meta.env.DEV ? '/api-proxy' : `https://www.${BASE_
 const WORKSPACES_API = `${WWW_BASE}/proxy/workspaces/api`
 const WORKSPACES_LIST_URL =
   `${WWW_BASE}/proxy/workspaces/api/workspace?page=1&per_page=24&q=&tags=`
-const JUPYTER_BASE   = `https://lab.${BASE_DOMAIN}`
+const JUPYTER_BASE   = '/jupyter-proxy'
 const FRONTEND_BASE  = `https://www.${BASE_DOMAIN}`
 
 // ─── Infrastructure singletons ────────────────────────────────────────────────