fix: move sso setting changes in wraps

2025-06-05 01:32:56 +09:00 · 2025-06-05 01:32:56 +09:00 · 4e17af5326
parent 743672f78d
commit 4e17af5326
2 changed files with 17 additions and 15 deletions
--- a/api/controllers/web/passport.py
+++ b/api/controllers/web/passport.py
@ -104,23 +104,8 @@ def decode_enterprise_webapp_user_id(jwt_token: str | None):

    decoded = PassportService().verify(jwt_token)
    source = decoded.get("token_source")
-    auth_type = decoded.get("auth_type")
-    granted_at = decoded.get("granted_at")
    if not source or source != "webapp_login_token":
        raise Unauthorized("Invalid token source. Expected 'webapp_login_token'.")
-    if not auth_type:
-        raise Unauthorized("Missing auth_type in the token.")
-    if not granted_at:
-        raise Unauthorized("Missing granted_at in the token.")
-    # check if sso has been updated
-    if auth_type == "external":
-        last_update_time = EnterpriseService.get_app_sso_settings_last_update_time()
-        if granted_at and datetime.fromtimestamp(granted_at, tz=UTC) < last_update_time:
-            raise Unauthorized("SSO settings have been updated. Please re-login.")
-    elif auth_type == "internal":
-        last_update_time = EnterpriseService.get_workspace_sso_settings_last_update_time()
-        if granted_at and datetime.fromtimestamp(granted_at, tz=UTC) < last_update_time:
-            raise Unauthorized("SSO settings have been updated. Please re-login.")
    return decoded


--- a/api/controllers/web/wraps.py
+++ b/api/controllers/web/wraps.py
@ -1,3 +1,4 @@
+from datetime import UTC, datetime
 from functools import wraps

 from flask import request
@ -122,6 +123,22 @@ def _validate_user_accessibility(
            if not EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp(user_id, app_code=app_code):
                raise WebAppAuthAccessDeniedError()

+        auth_type = decoded.get("auth_type")
+        granted_at = decoded.get("granted_at")
+        if not auth_type:
+            raise WebAppAuthAccessDeniedError("Missing auth_type in the token.")
+        if not granted_at:
+            raise WebAppAuthAccessDeniedError("Missing granted_at in the token.")
+        # check if sso has been updated
+        if auth_type == "external":
+            last_update_time = EnterpriseService.get_app_sso_settings_last_update_time()
+            if granted_at and datetime.fromtimestamp(granted_at, tz=UTC) < last_update_time:
+                raise WebAppAuthAccessDeniedError("SSO settings have been updated. Please re-login.")
+        elif auth_type == "internal":
+            last_update_time = EnterpriseService.get_workspace_sso_settings_last_update_time()
+            if granted_at and datetime.fromtimestamp(granted_at, tz=UTC) < last_update_time:
+                raise WebAppAuthAccessDeniedError("SSO settings have been updated. Please re-login.")
+

 class WebApiResource(Resource):
    method_decorators = [validate_jwt_token]