Skip to content

clean up use of session in Access APIs for SPA #11844

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
stevenwinship wants to merge 20 commits into
base: develop
Choose a base branch
from
Open

clean up use of session in Access APIs for SPA #11844

stevenwinship wants to merge 20 commits into from
+51 −143

Conversation

@stevenwinship
Copy link
Contributor

@stevenwinship stevenwinship commented Sep 25, 2025
edited
Loading

What this PR does / why we need it: We need to decouple the Access API from this responsibility, so that it validates permissions for the authenticated user provided by the API authentication filter—regardless of the authentication mechanism used. In the SPA’s case, this is a bearer token.

Must still be backward compatible with JSF so session is still needed but localized

The original issue also has a bug in that the api called is not being sent as bearer token.

Which issue(s) this PR closes:#11740

Special notes for your reviewer: Removed a lot of the code referencing the session. Some code was not being utilized as downstream code doesn't behave as it did when this older code was written. I tried to consolidate the code accessing the session to a single method.

Suggestions on how to test this: Once the frontend is fixed the UI can be used to test. Until then a curl to the endpoint with the Bearer token can be used. I tested by adding a log statement to display the bearer token (BearerTokenAuthMechanism) from the previous call to pass to this api call.

Does this PR introduce a user interface change? If mockups are available, please link/include them here: no

Is there a release notes update needed for this change?: included

Additional documentation:

@stevenwinship stevenwinship added Type: Bug a defect GREI Re-arch Issues related to the GREI Dataverse rearchitecture Size: 50 A percentage of a sprint. 35 hours. Original size: 50 FY26 Sprint 4 FY26 Sprint 4 (2025-08-13 - 2025-08-27) FY26 Sprint 5 FY26 Sprint 5 (2025-08-27 - 2025-09-10) FY26 Sprint 6 FY26 Sprint 6 (2025-09-10 - 2025-09-24) SPA.Q3.2025 Not related to any specific Q3 2025 feature labels Sep 25, 2025
@stevenwinship stevenwinship moved this to In Progress 💻 in IQSS Dataverse Project Sep 25, 2025
@stevenwinship stevenwinship self-assigned this Sep 25, 2025
@stevenwinship stevenwinship changed the title clean up use of session for spa clean up use of session in Access APIs for spa Sep 25, 2025
@stevenwinship stevenwinship changed the title clean up use of session in Access APIs for spa clean up use of session in Access APIs for SPA Sep 25, 2025
@coveralls
Copy link

coveralls commented Sep 25, 2025
edited
Loading

Coverage Status

coverage: 24.245% (+0.01%) from 24.232%
when pulling 2bf12da on 11740-api-file-download-with-bearer-token
into ee55052 on develop.

@stevenwinship
Copy link
Contributor Author

stevenwinship commented Sep 25, 2025

I removed the code that compared the authUser and sessionUser to null since these calls no longer returned null, they returned guestUser if the user was not found

@github-actions

This comment has been minimized.

Sign in to view
1 similar comment
@github-actions

This comment has been minimized.

Sign in to view
@stevenwinship stevenwinship added Size: 10 A percentage of a sprint. 7 hours. and removed Size: 50 A percentage of a sprint. 35 hours. labels Sep 25, 2025
@github-actions

This comment has been minimized.

Sign in to view
1 similar comment
@github-actions

This comment has been minimized.

Sign in to view
@github-actions

This comment has been minimized.

Sign in to view
@github-actions

This comment has been minimized.

Sign in to view
@github-actions

This comment has been minimized.

Sign in to view
@cmbz cmbz added the FY26 Sprint 9 FY26 Sprint 9 (2025-10-22 - 2025-11-05) label Oct 23, 2025
@sekmiller sekmiller self-assigned this Oct 23, 2025
@sekmiller sekmiller moved this from Ready for Review ⏩ to In Review 🔎 in IQSS Dataverse Project Oct 23, 2025
@github-actions

This comment has been minimized.

Sign in to view
@github-actions

This comment has been minimized.

Sign in to view
@github-project-automation github-project-automation bot moved this from In Review 🔎 to Ready for QA ⏩ in IQSS Dataverse Project Oct 24, 2025
@sekmiller sekmiller removed their assignment Oct 27, 2025
@github-actions

This comment has been minimized.

Sign in to view
@github-actions

This comment has been minimized.

Sign in to view
@cmbz cmbz added the FY26 Sprint 10 FY26 Sprint 10 (2025-11-05 - 2025-11-19) label Nov 5, 2025
@stevenwinship stevenwinship mentioned this pull request Nov 7, 2025
Open
@github-actions

This comment has been minimized.

Sign in to view
@cmbz cmbz added the FY26 Sprint 11 FY26 Sprint 11 (2025-11-20 - 2025-12-03) label Nov 22, 2025
@pdurbin pdurbin mentioned this pull request Nov 25, 2025
Open
@cmbz cmbz added the FY26 Sprint 12 FY26 Sprint 12 (2025-12-03 - 2025-12-17) label Dec 3, 2025
@github-actions

This comment has been minimized.

Sign in to view
@cmbz cmbz added the FY26 Sprint 14 FY26 Sprint 14 (2025-12-31 - 2026-01-14) label Dec 31, 2025
@github-actions
Copy link

github-actions bot commented Jan 5, 2026

📦 Pushed preview images as

ghcr.io/gdcc/dataverse:11740-api-file-download-with-bearer-token

ghcr.io/gdcc/configbaker:11740-api-file-download-with-bearer-token

🚢 See on GHCR. Use by referencing with full name as printed above, mind the registry name.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sekmiller sekmiller sekmiller approved these changes

Assignees

No one assigned

Labels

FY26 Sprint 4 FY26 Sprint 4 (2025-08-13 - 2025-08-27) FY26 Sprint 5 FY26 Sprint 5 (2025-08-27 - 2025-09-10) FY26 Sprint 6 FY26 Sprint 6 (2025-09-10 - 2025-09-24) FY26 Sprint 8 FY26 Sprint 8 (2025-10-08 - 2025-10-22) FY26 Sprint 9 FY26 Sprint 9 (2025-10-22 - 2025-11-05) FY26 Sprint 10 FY26 Sprint 10 (2025-11-05 - 2025-11-19) FY26 Sprint 11 FY26 Sprint 11 (2025-11-20 - 2025-12-03) FY26 Sprint 12 FY26 Sprint 12 (2025-12-03 - 2025-12-17) FY26 Sprint 14 FY26 Sprint 14 (2025-12-31 - 2026-01-14) GREI Re-arch Issues related to the GREI Dataverse rearchitecture Original size: 50 Size: 10 A percentage of a sprint. 7 hours. SPA.Q3.2025 Not related to any specific Q3 2025 feature Type: Bug a defect

Projects

IQSS Dataverse Project
Status: Ready for QA ⏩

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Access API file downloads do not work with Bearer Token authentication on draft datasets.

5 participants

@stevenwinship @coveralls @sekmiller @cmbz