Merge branch 'master' into fix/service-account-limit

uc-cdis · Aug 7, 2020 · a064ad3 · a064ad3
2 parents a34c604 + b4007c9
commit a064ad3
Showing 1 changed file with 20 additions and 9 deletions.
diff --git a/fence/resources/user/__init__.py b/fence/resources/user/__init__.py
@@ -5,7 +5,9 @@
 
 import flask
 import jwt
+import smtplib
 from cdislogging import get_logger
+from gen3authz.client.arborist.errors import ArboristError
 
 from fence.resources import userdatamodel as udm
 from fence.resources.google.utils import (
@@ -14,12 +16,11 @@
     get_service_account,
 )
 from fence.resources.userdatamodel import get_user_groups
-import smtplib
 
-from fence.errors import NotFound, UserError, InternalError
-from fence.models import query_for_user
 from fence.config import config
-from gen3authz.client.arborist.errors import ArboristError
+from fence.errors import NotFound, Unauthorized, UserError, InternalError
+from fence.jwt.utils import get_jwt_header
+from fence.models import query_for_user
 
 
 logger = get_logger(__name__)
@@ -129,13 +130,23 @@ def get_user_info(current_session, username):
         optional_info = _get_optional_userinfo(user, requested_userinfo_claims)
         info.update(optional_info)
 
-    # Include ga4gh passport visas
-    if not flask.g.access_token:
+    # Include ga4gh passport visas if access token has ga4gh_passport_v1 in scope claim
+    try:
+        encoded_access_token = flask.g.access_token or get_jwt_header()
+    except Unauthorized:
+        # This only happens if a session token was present (since login_required did not throw an error)
+        # but for some reason there was no access token in flask.g.access_token.
+        # (Perhaps it was manually deleted by the user.)
+        # In particular, a curl request made with no tokens shouldn't get here (bc of login_required).
+        # So the request is probably from a browser.
         logger.warning(
-            "Session token present but no access token found. Unable to check scopes in userinfo; returning."
+            "Session token present but no access token found. "
+            "Unable to check scopes in userinfo; some claims may not be included in response."
         )
-    else:
-        at_scopes = jwt.decode(flask.g.access_token, verify=False).get("scope", "")
+        encoded_access_token = None
+
+    if encoded_access_token:
+        at_scopes = jwt.decode(encoded_access_token, verify=False).get("scope", "")
         if "ga4gh_passport_v1" in at_scopes:
             encoded_visas = [row.ga4gh_visa for row in user.ga4gh_visas_v1]
             info["ga4gh_passport_v1"] = encoded_visas