Merge pull request #380 from HumanBrainProject/staging

access token scoping/refreshing

deploy/auth/util.js

@@ -10,17 +10,19 @@ const redirectUri = `${HOSTNAME}/hbp-oidc/cb`
 let REFRESH_TOKEN = process.env.REFRESH_TOKEN || null
 const CLIENT_NOT_INIT = `Client is not initialised.`
 const REFRESH_TOKEN_MISSING = `refresh token is missing`
+const REFRESH_ACCESS_TOKEN_MISSING = `access token not defined upon refresh`
+const REFRESH_REFRESH_TOKEN_MISSING = `refresh token not defined upon refresh`
 
 let __client
 let __publicAccessToken
 
 const refreshToken = async () => {
-  if (!__client)
-    throw new Error(CLIENT_NOT_INIT)
-  if (!REFRESH_TOKEN)
-    throw new Error(REFRESH_TOKEN_MISSING)
+  if (!__client) throw new Error(CLIENT_NOT_INIT)
+  if (!REFRESH_TOKEN) throw new Error(REFRESH_TOKEN_MISSING)
   const tokenset = await __client.refresh(REFRESH_TOKEN)
   const {access_token: accessToken, refresh_token: refreshToken, id_token: idToken} = tokenset
+  if (!accessToken) throw new Error(REFRESH_ACCESS_TOKEN_MISSING)
+  if (!refreshToken) throw new Error(REFRESH_REFRESH_TOKEN_MISSING)
   if (refreshToken !== REFRESH_TOKEN) {
     REFRESH_TOKEN = refreshToken
   }

deploy/datasets/util.js

 const kgQueryUtil = require('./../auth/util')
 
-let getPublicAccessToken, publicAccessToken
+let getPublicAccessToken
 
 const getUserKGRequestParam = async ({ user }) => {
+  let publicAccessToken
   /**
    * n.b. ACCESS_TOKEN env var is usually only set during dev
    */
   const accessToken = (user && user.tokenset && user.tokenset.access_token) || process.env.ACCESS_TOKEN
   const releasedOnly = !accessToken
-  if (!accessToken && !publicAccessToken && getPublicAccessToken) {
+  if (!accessToken && getPublicAccessToken) {
     publicAccessToken = await getPublicAccessToken()
   }
   const option = accessToken || publicAccessToken