From 7f033145ca1063c3aabb37ed37482fe3c38412ae Mon Sep 17 00:00:00 2001
From: Mingfei Shao <mshao1@uchicago.edu>
Date: Thu, 11 Feb 2021 18:14:44 -0600
Subject: [PATCH 1/5] ix: always mint new token

---
 fence/resources/user/user_session.py | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/fence/resources/user/user_session.py b/fence/resources/user/user_session.py
index 7685d9ec7..65f5bdc2b 100644
--- a/fence/resources/user/user_session.py
+++ b/fence/resources/user/user_session.py
@@ -215,10 +215,8 @@ def save_session(self, app, session, response):
                     domain=domain,
                 )
 
-            # if a user is logged in and doesn't have an access token, let's
-            # generate one
-            if user and not flask.g.access_token:
-                _create_access_token_cookie(app, session, response, user)
+            # always generate an new access token if user is logged in
+            _create_access_token_cookie(app, session, response, user)
         else:
             # If there isn't a session token, we should set
             # the cookies to nothing and expire them immediately.

From 5371a69bba274a521096556b23a1e7e44c69312f Mon Sep 17 00:00:00 2001
From: Mingfei Shao <mshao1@uchicago.edu>
Date: Sat, 13 Feb 2021 14:34:50 -0600
Subject: [PATCH 2/5] fix: wrong logic

---
 fence/resources/user/user_session.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fence/resources/user/user_session.py b/fence/resources/user/user_session.py
index 65f5bdc2b..c54ba465a 100644
--- a/fence/resources/user/user_session.py
+++ b/fence/resources/user/user_session.py
@@ -215,8 +215,9 @@ def save_session(self, app, session, response):
                     domain=domain,
                 )
 
-            # always generate an new access token if user is logged in
-            _create_access_token_cookie(app, session, response, user)
+            # if a user is logged in, generate an access token and set in cookie
+            if user:
+                _create_access_token_cookie(app, session, response, user)
         else:
             # If there isn't a session token, we should set
             # the cookies to nothing and expire them immediately.

From bcb24dfaafbba71da7f20cc9117f702311d32686 Mon Sep 17 00:00:00 2001
From: Mingfei Shao <mshao1@uchicago.edu>
Date: Thu, 18 Feb 2021 17:42:49 -0600
Subject: [PATCH 3/5] fix: add config

---
 fence/config-default.yaml            | 2 ++
 fence/config.py                      | 1 +
 fence/resources/user/user_session.py | 7 +++++--
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/fence/config-default.yaml b/fence/config-default.yaml
index 06638dce6..1f06c322b 100644
--- a/fence/config-default.yaml
+++ b/fence/config-default.yaml
@@ -380,6 +380,8 @@ MAX_ACCESS_TOKEN_TTL: 3600
 # auth checks against Arborist, and no longer check the token.
 TOKEN_PROJECTS_CUTOFF: 10
 
+# If set to true, will generate an new access token each time when a browser session update happens
+RENEW_ACCESS_TOKEN_BEFORE_EXPIRATION: true
 
 ########################################################################################
 #                               OPTIONAL CONFIGURATIONS                                #
diff --git a/fence/config.py b/fence/config.py
index b383bbd73..32eed9575 100644
--- a/fence/config.py
+++ b/fence/config.py
@@ -37,6 +37,7 @@ def post_process(self):
             "REFRESH_TOKEN_EXPIRES_IN",
             "SESSION_TIMEOUT",
             "SESSION_LIFETIME",
+            "RENEW_ACCESS_TOKEN_BEFORE_EXPIRATION",
             "GOOGLE_SERVICE_ACCOUNT_KEY_FOR_URL_SIGNING_EXPIRES_IN",
             "GOOGLE_USER_SERVICE_ACCOUNT_ACCESS_EXPIRES_IN",
             "GOOGLE_ACCOUNT_ACCESS_EXPIRES_IN",
diff --git a/fence/resources/user/user_session.py b/fence/resources/user/user_session.py
index c54ba465a..948d70920 100644
--- a/fence/resources/user/user_session.py
+++ b/fence/resources/user/user_session.py
@@ -215,8 +215,11 @@ def save_session(self, app, session, response):
                     domain=domain,
                 )
 
-            # if a user is logged in, generate an access token and set in cookie
-            if user:
+            # generate an access token and set in cookie if
+            # user is logged in AND one of the following:
+            # 1. RENEW_ACCESS_TOKEN_BEFORE_EXPIRATION = true in config
+            # 2. current access token has expired (no access_token)
+            if user and (config.get("RENEW_ACCESS_TOKEN_BEFORE_EXPIRATION") or not flask.g.access_token):
                 _create_access_token_cookie(app, session, response, user)
         else:
             # If there isn't a session token, we should set

From 3bf9f05b0c7e7b8a842791cd0ee0f9f21d1e2094 Mon Sep 17 00:00:00 2001
From: Mingfei Shao <mshao1@uchicago.edu>
Date: Fri, 19 Feb 2021 10:52:50 -0600
Subject: [PATCH 4/5] run the hook

---
 .secrets.baseline                    | 6 +++---
 fence/config-default.yaml            | 2 +-
 fence/resources/user/user_session.py | 5 ++++-
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/.secrets.baseline b/.secrets.baseline
index 703c3b9c0..dac57f985 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "poetry.lock",
     "lines": null
   },
-  "generated_at": "2020-10-22T16:33:03Z",
+  "generated_at": "2021-02-19T16:52:13Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -92,7 +92,7 @@
       {
         "hashed_secret": "5d07e1b80e448a213b392049888111e1779a52db",
         "is_verified": false,
-        "line_number": 510,
+        "line_number": 511,
         "type": "Secret Keyword"
       }
     ],
@@ -200,7 +200,7 @@
       {
         "hashed_secret": "d9db6fe5c14dc55edd34115cdf3958845ac30882",
         "is_verified": false,
-        "line_number": 271,
+        "line_number": 327,
         "type": "Hex High Entropy String"
       }
     ],
diff --git a/fence/config-default.yaml b/fence/config-default.yaml
index 1f06c322b..536d2e10d 100644
--- a/fence/config-default.yaml
+++ b/fence/config-default.yaml
@@ -775,6 +775,6 @@ SERVICE_ACCOUNT_LIMIT: 6
 USERSYNC:
   sync_from_visas: false
   # fallback to dbgap sftp when there are no valid visas for a user i.e. if they're expired or if they're malformed
-  fallback_to_dbgap_sftp: false 
+  fallback_to_dbgap_sftp: false
   visa_types:
     ras: [https://ras.nih.gov/visas/v1, https://ras.nih.gov/visas/v1.1]
diff --git a/fence/resources/user/user_session.py b/fence/resources/user/user_session.py
index 948d70920..01475d400 100644
--- a/fence/resources/user/user_session.py
+++ b/fence/resources/user/user_session.py
@@ -219,7 +219,10 @@ def save_session(self, app, session, response):
             # user is logged in AND one of the following:
             # 1. RENEW_ACCESS_TOKEN_BEFORE_EXPIRATION = true in config
             # 2. current access token has expired (no access_token)
-            if user and (config.get("RENEW_ACCESS_TOKEN_BEFORE_EXPIRATION") or not flask.g.access_token):
+            if user and (
+                config.get("RENEW_ACCESS_TOKEN_BEFORE_EXPIRATION")
+                or not flask.g.access_token
+            ):
                 _create_access_token_cookie(app, session, response, user)
         else:
             # If there isn't a session token, we should set

From ced7bd4d9981475396681cf2a6d19232cea63a56 Mon Sep 17 00:00:00 2001
From: Mingfei Shao <mshao1@uchicago.edu>
Date: Fri, 19 Feb 2021 15:18:44 -0600
Subject: [PATCH 5/5] set default to false

---
 fence/config-default.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fence/config-default.yaml b/fence/config-default.yaml
index 536d2e10d..260173e4f 100644
--- a/fence/config-default.yaml
+++ b/fence/config-default.yaml
@@ -381,7 +381,7 @@ MAX_ACCESS_TOKEN_TTL: 3600
 TOKEN_PROJECTS_CUTOFF: 10
 
 # If set to true, will generate an new access token each time when a browser session update happens
-RENEW_ACCESS_TOKEN_BEFORE_EXPIRATION: true
+RENEW_ACCESS_TOKEN_BEFORE_EXPIRATION: false
 
 ########################################################################################
 #                               OPTIONAL CONFIGURATIONS                                #