resolves root session issue in security policy, removes hack solution in session model

madoleary · madoleary · commit fe262b839939 · 2023-05-26T13:02:12.000+02:00
diff --git a/h/security/policy/combined.py b/h/security/policy/combined.py
@@ -74,7 +74,9 @@ def _call_sub_policies(self, method, request, *args, **kwargs):
             return getattr(self._ui_policy, method)(request, *args, **kwargs)
 
         # Then we try the bearer header (or `access_token` GET param)
+
         result = getattr(self._bearer_token_policy, method)(request, *args, **kwargs)
+        print(result)
 
         if not result and self._http_basic_auth_policy.handles(request):
             # Only then do we look for auth clients authenticating with basic
@@ -87,7 +89,9 @@ def _call_sub_policies(self, method, request, *args, **kwargs):
 
     @staticmethod
     def _is_api_request(request):
-        return request.path.startswith("/api") and request.path not in [
+        return (request.path.startswith("/api") or request.path.startswith("/hypothesis")) and request.path not in [
             "/api/token",
             "/api/badge",
+            "/hypothesis/api/token",
+            "/hypothesis/api/badge"
         ]
diff --git a/h/session.py b/h/session.py
@@ -25,13 +25,6 @@ def profile(request, authority=None):
     """
     user = request.user
 
-    if user is None:
-        h_key = request.cookies.get('h_key')
-        user_svc = request.find_service(name='user')
-        user_tosdr = user_svc.fetch_from_tosdr(h_key)        
-        username = user_tosdr.username
-        user = user_svc.fetch(username, authority=request.default_authority)
-
     if user is not None:
         authority = user.authority
     else:
diff --git a/h/views/api/auth.py b/h/views/api/auth.py
@@ -167,7 +167,7 @@ def _authorized_response(self):
         username = user_tosdr.username
         user = self.user_svc.fetch(username, authority=self.request.default_authority)
         # TOSDR : create user in h if it does not exist
-        if not user:
+        if h_key and not user:
             password = ''.join(random.choice(string.printable) for i in range(12))
             user = User(username=user_tosdr.username, email=user_tosdr.email, privacy_accepted=datetime.now(), comms_opt_in=False, password=password, authority=self.request.default_authority)
             self.session.add(user)
