John conroy/ws token for users (#3662)

* Only request workspaces token for workspace users * Add changelog --------- Co-authored-by: John Conroy <[email protected]>
hubmapconsortium · Jan 7, 2025 · f5c8be2 · f5c8be2
1 parent afcac4f
commit f5c8be2
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 20 deletions.
diff --git a/CHANGELOG-ws-token-for-users.md b/CHANGELOG-ws-token-for-users.md
@@ -0,0 +1 @@
+- Only request workspaces token for workspaces users during auth routine.
diff --git a/context/app/routes_auth.py b/context/app/routes_auth.py
@@ -109,26 +109,6 @@ def login():
     auth_token_object = tokens.by_resource_server['auth.globus.org']
     auth_token = auth_token_object['access_token']
 
-    # This could be defered until someone actually tries to access the workspaces, but:
-    # - This network request could potentially be slow... Lump it with the other slows.
-    # - If you're logged in, you should be logged in all the way... Easier to debug.
-    workspaces_post_url = current_app.config['WORKSPACES_ENDPOINT'] + '/tokens/'
-    workspaces_post_data = dumps({'auth_token': groups_token})
-    workspaces_post_resp = requests.post(
-        workspaces_post_url,
-        data=workspaces_post_data)
-
-    try:
-        workspaces_token = workspaces_post_resp.json()['token']
-    except Exception as e:
-        if not workspaces_post_resp.ok:
-            current_app.logger.error(
-                'Workspaces auth failed: '
-                f'{workspaces_post_resp.status_code} {workspaces_post_resp.text[:100]}')
-        else:
-            current_app.logger.error(f'Workspaces auth token read failed: {e}')
-        workspaces_token = ''  # None would serialize to "None" ... which is no longer false-y.
-
     user_info_request_headers = {'Authorization': 'Bearer ' + auth_token}
 
     log('6: userinfo')
@@ -153,6 +133,27 @@ def login():
         'Workspaces': current_app.config['WORKSPACES_GROUP_ID']
     }
 
+    workspaces_token = ''  # None would serialize to "None" ... which is no longer false-y.
+    if 'HuBMAP' in permission_groups or 'Workspaces' in permission_groups:
+        # This could be defered until someone actually tries to access the workspaces, but:
+        # - This network request could potentially be slow... Lump it with the other slows.
+        # - If you're logged in, you should be logged in all the way... Easier to debug.
+        workspaces_post_url = current_app.config['WORKSPACES_ENDPOINT'] + '/tokens/'
+        workspaces_post_data = dumps({'auth_token': groups_token})
+        workspaces_post_resp = requests.post(
+            workspaces_post_url,
+            data=workspaces_post_data)
+
+        try:
+            workspaces_token = workspaces_post_resp.json()['token']
+        except Exception as e:
+            if not workspaces_post_resp.ok:
+                current_app.logger.error(
+                    'Workspaces auth failed: '
+                    f'{workspaces_post_resp.status_code} {workspaces_post_resp.text[:100]}')
+            else:
+                current_app.logger.error(f'Workspaces auth token read failed: {e}')
+
     # Determine if the user belongs to any of the groups in the globus groups master list
     user_internal_hubmap_groups = [
         g for g in globus_groups if user_globus_groups and has_globus_group(
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		- Only request workspaces token for workspaces users during auth routine.