Do not let refresh go if no refresh token

EGI-Federation · Oct 21, 2024 · 36e1e24 · 36e1e24
1 parent 16bbd0c
commit 36e1e24
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/egi_notebooks_hub/egiauthenticator.py b/egi_notebooks_hub/egiauthenticator.py
@@ -399,18 +399,13 @@ async def refresh_user(self, user, handler=None):
             return True
 
         access_token = auth_state.get("access_token", None)
-        refresh_token = auth_state.get("refresh_token", None)
 
         if not access_token:
             self.log.debug(
                 "No access token, assuming user is not managed with Check-in"
             )
             return True
 
-        if not refresh_token:
-            self.log.debug("No refresh token, assuming this user does not need it")
-            return True
-
         try:
             # We want to fall on the safe side for refreshing, hence using
             # the auth_refresh_age plus a configurable leeway
@@ -433,6 +428,11 @@ async def refresh_user(self, user, handler=None):
         except jwt.exceptions.InvalidTokenError as e:
             self.log.debug(f"Invalid access token, will try to refresh: {e}")
 
+        refresh_token = auth_state.get("refresh_token", None)
+        if not refresh_token:
+            self.log.warn(f"No refresh token, not allowing {user} without re-login")
+            return False
+
         # performing the refresh token call
         self.log.debug("Perform refresh call to Check-in")
         http_client = AsyncHTTPClient()
@@ -468,7 +468,7 @@ async def refresh_user(self, user, handler=None):
             return False
         resp_body = resp.body.decode("utf8", "replace")
         if not resp_body:
-            self.log.warning("Empty reply from refresh call? %s", body)
+            self.log.warning(f"Empty reply from refresh call for user {user}: {body}")
             return False
         refresh_info = json.loads(resp_body)
         auth_state["access_token"] = refresh_info["access_token"]