PXP-7696 Fix/renew access token (#874)

* ix: always mint new token * fix: wrong logic * fix: add config * run the hook * set default to false
uc-cdis · Feb 22, 2021 · 1bb9084 · 1bb9084
1 parent 6e55fcd
commit 1bb9084
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 7 deletions.
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "poetry.lock",
     "lines": null
   },
-  "generated_at": "2020-10-22T16:33:03Z",
+  "generated_at": "2021-02-19T16:52:13Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -92,7 +92,7 @@
       {
         "hashed_secret": "5d07e1b80e448a213b392049888111e1779a52db",
         "is_verified": false,
-        "line_number": 510,
+        "line_number": 511,
         "type": "Secret Keyword"
       }
     ],
@@ -200,7 +200,7 @@
       {
         "hashed_secret": "d9db6fe5c14dc55edd34115cdf3958845ac30882",
         "is_verified": false,
-        "line_number": 271,
+        "line_number": 327,
         "type": "Hex High Entropy String"
       }
     ],

diff --git a/fence/config-default.yaml b/fence/config-default.yaml
@@ -380,6 +380,8 @@ MAX_ACCESS_TOKEN_TTL: 3600
 # auth checks against Arborist, and no longer check the token.
 TOKEN_PROJECTS_CUTOFF: 10
 
+# If set to true, will generate an new access token each time when a browser session update happens
+RENEW_ACCESS_TOKEN_BEFORE_EXPIRATION: false
 
 ########################################################################################
 #                               OPTIONAL CONFIGURATIONS                                #
@@ -773,6 +775,6 @@ SERVICE_ACCOUNT_LIMIT: 6
 USERSYNC:
   sync_from_visas: false
   # fallback to dbgap sftp when there are no valid visas for a user i.e. if they're expired or if they're malformed
-  fallback_to_dbgap_sftp: false 
+  fallback_to_dbgap_sftp: false
   visa_types:
     ras: [https://ras.nih.gov/visas/v1, https://ras.nih.gov/visas/v1.1]
diff --git a/fence/config.py b/fence/config.py
@@ -37,6 +37,7 @@ def post_process(self):
             "REFRESH_TOKEN_EXPIRES_IN",
             "SESSION_TIMEOUT",
             "SESSION_LIFETIME",
+            "RENEW_ACCESS_TOKEN_BEFORE_EXPIRATION",
             "GOOGLE_SERVICE_ACCOUNT_KEY_FOR_URL_SIGNING_EXPIRES_IN",
             "GOOGLE_USER_SERVICE_ACCOUNT_ACCESS_EXPIRES_IN",
             "GOOGLE_ACCOUNT_ACCESS_EXPIRES_IN",

diff --git a/fence/resources/user/user_session.py b/fence/resources/user/user_session.py
@@ -215,9 +215,14 @@ def save_session(self, app, session, response):
                     domain=domain,
                 )
 
-            # if a user is logged in and doesn't have an access token, let's
-            # generate one
-            if user and not flask.g.access_token:
+            # generate an access token and set in cookie if
+            # user is logged in AND one of the following:
+            # 1. RENEW_ACCESS_TOKEN_BEFORE_EXPIRATION = true in config
+            # 2. current access token has expired (no access_token)
+            if user and (
+                config.get("RENEW_ACCESS_TOKEN_BEFORE_EXPIRATION")
+                or not flask.g.access_token
+            ):
                 _create_access_token_cookie(app, session, response, user)
         else:
             # If there isn't a session token, we should set