MAINT: harden jupyter docker (#1584)

rlundeen2 · web-flow · commit e4abebe353f2 · 2026-04-09T15:57:49.000-07:00
diff --git a/doc/getting_started/install_docker.md b/doc/getting_started/install_docker.md
@@ -59,16 +59,22 @@ docker-compose logs -f
 
 ### 4. Access JupyterLab
 
-Once the container is running, open your browser and navigate to:
+Once the container is running, retrieve the access URL (including the authentication token) from the logs:
 
+```bash
+docker-compose logs pyrit-jupyter
 ```
-http://localhost:8888
+
+Look for a line like:
+
+```
+http://127.0.0.1:8888/lab?token=<your-token>
 ```
 
-By default, JupyterLab runs without authentication for ease of use.
+Open that full URL in your browser. The token is required for access.
 
-```{warning}
-The default configuration has no password. For production use, consider adding authentication.
+```{note}
+JupyterLab is bound to `localhost` only and requires token authentication. Your API credentials are mounted into the container, so these protections prevent unauthorized access from other machines on your network.
 ```
 
 ## Using PyRIT in JupyterLab
diff --git a/docker/docker-compose.yaml b/docker/docker-compose.yaml
@@ -15,7 +15,7 @@ services:
     image: pyrit:latest
     container_name: pyrit-jupyter
     ports:
-      - "8888:8888"
+      - "127.0.0.1:8888:8888"
     volumes:
       - notebooks:/app/notebooks
       - data:/app/data
@@ -26,7 +26,7 @@ services:
       - PYRIT_MODE=jupyter
     restart: unless-stopped
     healthcheck:
-      test: ["CMD-SHELL", "curl -sf http://localhost:8888 || exit 1"]
+      test: ["CMD-SHELL", "curl -sf http://localhost:8888/api/status || exit 1"]
       interval: 30s
       timeout: 10s
       retries: 3
diff --git a/docker/start.sh b/docker/start.sh
@@ -41,7 +41,8 @@ python -c "import pyrit; print(f'Running PyRIT version: {pyrit.__version__}')"
 if [ "$PYRIT_MODE" = "jupyter" ]; then
     echo "Starting JupyterLab on port 8888..."
     echo "Note: Notebooks are from the local source at build time"
-    exec jupyter lab --ip=0.0.0.0 --port=8888 --no-browser --allow-root --NotebookApp.token='' --NotebookApp.password='' --notebook-dir=/app/notebooks
+    echo "JupyterLab will generate an access token. Check the logs for the URL with token."
+    exec jupyter lab --ip=0.0.0.0 --port=8888 --no-browser --allow-root --notebook-dir=/app/notebooks
 elif [ "$PYRIT_MODE" = "gui" ]; then
     echo "Starting PyRIT GUI on port 8000..."
     exec python -m uvicorn pyrit.backend.main:app --host 0.0.0.0 --port 8000
