You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airavata.apache.org by ma...@apache.org on 2021/07/18 19:27:04 UTC
[airavata-django-portal] 04/04: Fixes bug where missing
ACCESS_TOKEN was interpreted as a good, unexpired token
This is an automated email from the ASF dual-hosted git repository.
machristie pushed a commit to branch staging
in repository https://gitbox.apache.org/repos/asf/airavata-django-portal.git
commit fabcc8fce1c3081d690a6a0fe91481b189b1b6e6
Author: Marcus Christie <ma...@apache.org>
AuthorDate: Sun Jul 18 15:26:44 2021 -0400
Fixes bug where missing ACCESS_TOKEN was interpreted as a good, unexpired token
---
django_airavata/apps/auth/utils.py | 39 ++++++++++++++++++++++++++++----------
1 file changed, 29 insertions(+), 10 deletions(-)
diff --git a/django_airavata/apps/auth/utils.py b/django_airavata/apps/auth/utils.py
index 747cdca..bb9e82d 100644
--- a/django_airavata/apps/auth/utils.py
+++ b/django_airavata/apps/auth/utils.py
@@ -18,7 +18,9 @@ def get_authz_token(request, user=None, access_token=None):
"""Construct AuthzToken instance from session; refresh token if needed."""
if access_token is not None:
return _create_authz_token(request, user=user, access_token=access_token)
- elif not is_access_token_expired(request, user=user):
+ elif is_request_access_token(request):
+ return _create_authz_token(request, user=user)
+ elif is_session_access_token(request) and not is_session_access_token_expired(request, user=user):
return _create_authz_token(request, user=user, access_token=access_token)
elif not is_refresh_token_expired(request):
# Have backend reauthenticate the user with the refresh token
@@ -64,21 +66,38 @@ def _create_authz_token(request, user=None, access_token=None):
'userName': username})
-def _get_access_token(request):
+def _get_access_token_source(request):
if hasattr(request, 'auth') and request.auth is not None:
- return request.auth
+ return 'request'
+ elif 'ACCESS_TOKEN' in request.session:
+ return 'session'
else:
+ return None
+
+
+def _get_access_token(request):
+ source = _get_access_token_source(request)
+ if source == 'request':
+ return request.auth
+ elif source == 'session':
return request.session['ACCESS_TOKEN']
+ else:
+ return None
+
+
+def is_session_access_token(request):
+ """Return True if access token is stored in the user's session."""
+ return _get_access_token_source(request) == 'session'
+
+
+def is_request_access_token(request):
+ """Return True if access token passed in request, e.g., a Bearer token."""
+ return _get_access_token_source(request) == 'request'
-def is_access_token_expired(request, user=None):
- """Return True if access_token is not available or is expired."""
- # If access token not stored in session, then token expiration/refreshing
- # isn't supported. When token is provided by REST API client it is expected
- # that the client will manage the token lifetime.
+def is_session_access_token_expired(request, user=None):
+ """Return True if session access_token is not available or is expired."""
user = user if user is not None else request.user
- if 'ACCESS_TOKEN' not in request.session:
- return False
now = time.time()
return not user.is_authenticated \
or 'ACCESS_TOKEN' not in request.session \