From 4e17af532690971eb627dabee64bab41f98c656b Mon Sep 17 00:00:00 2001
From: GareArc <chen4851@purdue.edu>
Date: Thu, 5 Jun 2025 01:32:56 +0900
Subject: [PATCH] fix: move sso setting changes in wraps

---
 api/controllers/web/passport.py | 15 ---------------
 api/controllers/web/wraps.py    | 17 +++++++++++++++++
 2 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/api/controllers/web/passport.py b/api/controllers/web/passport.py
index 023c622125..be8f2b8732 100644
--- a/api/controllers/web/passport.py
+++ b/api/controllers/web/passport.py
@@ -104,23 +104,8 @@ def decode_enterprise_webapp_user_id(jwt_token: str | None):
 
     decoded = PassportService().verify(jwt_token)
     source = decoded.get("token_source")
-    auth_type = decoded.get("auth_type")
-    granted_at = decoded.get("granted_at")
     if not source or source != "webapp_login_token":
         raise Unauthorized("Invalid token source. Expected 'webapp_login_token'.")
-    if not auth_type:
-        raise Unauthorized("Missing auth_type in the token.")
-    if not granted_at:
-        raise Unauthorized("Missing granted_at in the token.")
-    # check if sso has been updated
-    if auth_type == "external":
-        last_update_time = EnterpriseService.get_app_sso_settings_last_update_time()
-        if granted_at and datetime.fromtimestamp(granted_at, tz=UTC) < last_update_time:
-            raise Unauthorized("SSO settings have been updated. Please re-login.")
-    elif auth_type == "internal":
-        last_update_time = EnterpriseService.get_workspace_sso_settings_last_update_time()
-        if granted_at and datetime.fromtimestamp(granted_at, tz=UTC) < last_update_time:
-            raise Unauthorized("SSO settings have been updated. Please re-login.")
     return decoded
 
 
diff --git a/api/controllers/web/wraps.py b/api/controllers/web/wraps.py
index 36928f308f..69bcfa6abf 100644
--- a/api/controllers/web/wraps.py
+++ b/api/controllers/web/wraps.py
@@ -1,3 +1,4 @@
+from datetime import UTC, datetime
 from functools import wraps
 
 from flask import request
@@ -122,6 +123,22 @@ def _validate_user_accessibility(
             if not EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp(user_id, app_code=app_code):
                 raise WebAppAuthAccessDeniedError()
 
+        auth_type = decoded.get("auth_type")
+        granted_at = decoded.get("granted_at")
+        if not auth_type:
+            raise WebAppAuthAccessDeniedError("Missing auth_type in the token.")
+        if not granted_at:
+            raise WebAppAuthAccessDeniedError("Missing granted_at in the token.")
+        # check if sso has been updated
+        if auth_type == "external":
+            last_update_time = EnterpriseService.get_app_sso_settings_last_update_time()
+            if granted_at and datetime.fromtimestamp(granted_at, tz=UTC) < last_update_time:
+                raise WebAppAuthAccessDeniedError("SSO settings have been updated. Please re-login.")
+        elif auth_type == "internal":
+            last_update_time = EnterpriseService.get_workspace_sso_settings_last_update_time()
+            if granted_at and datetime.fromtimestamp(granted_at, tz=UTC) < last_update_time:
+                raise WebAppAuthAccessDeniedError("SSO settings have been updated. Please re-login.")
+
 
 class WebApiResource(Resource):
     method_decorators = [validate_jwt_token]