Run latest webapi w/ openid for example. Any attempt to retrieve session information after the filter above has been triggered as part of a later /user/refresh will fail with org.apache.shiro.subject.support.DisabledSessionException. Try for example the following steps:
add some code like this to a custom filter that runs after UPDATE_TOKEN in the /user/refresh endpoint
Expected behavior
Session should only be removed when logging out, or upon expiration.
Actual behavior
Because of a call to
session.stop()
insrc/main/java/org/ohdsi/webapi/shiro/filters/UpdateAccessTokenFilter.java
(see https://github.com/uc-cdis/WebAPI/commit/32e90bc0df31ab692c3167ec9c17ba500780821a#diff-2ab1eba233c07d9653dbc0312742cf31baea8a755f797445784064efa44f88f9L118-L122), the session is removed in endpoints where it should not (like /user/refresh).Steps to reproduce behavior
Run latest webapi w/ openid for example. Any attempt to retrieve session information after the filter above has been triggered as part of a later /user/refresh will fail with
org.apache.shiro.subject.support.DisabledSessionException
. Try for example the following steps: