Tasks/WP-190: Handle concurrency with Tapis OAuth Token Refresh

server/portal/apps/auth/models.py

@@ -31,8 +31,7 @@ def expired(self):
         :return: True or False, depending if the token is expired.
         :rtype: bool
         """
-        current_time = time.time()
-        return self.created + self.expires_in - current_time - TOKEN_EXPIRY_THRESHOLD <= 0
+        return self.is_token_expired(self.created, self.expires_in)
 
     @property
     def created_at(self):
@@ -72,11 +71,11 @@ def client(self):
         :return: Tapis client using refresh token.
         :rtype: :class:Tapis
         """
-        client = Tapis(base_url=getattr(settings, 'TAPIS_TENANT_BASEURL'),
-                       client_id=getattr(settings, 'TAPIS_CLIENT_ID'),
-                       client_key=getattr(settings, 'TAPIS_CLIENT_KEY'),
-                       access_token=self.access_token,
-                       refresh_token=self.refresh_token)
+        # Optimize build only if enabled by the portal via `ENABLE_OPTIMIZED_OAUTH_REFRESH`
+        if settings.ENABLE_OPTIMIZED_OAUTH_REFRESH:
+            return self.optimized_client()
+
+        client = self.build_client()
 
         with transaction.atomic():
             if self.expired:
@@ -92,6 +91,46 @@ def client(self):
 
         return client
 
+    def optimized_client(self):
+        """Tapis client to limit one request to Tapis per User.
+
+        :return: Tapis client using refresh token.
+        :rtype: :class:Tapis
+        """
+        client = self.build_client()
+        if self.expired:
+            logger.info('Tapis OAuth token expired')
+            with transaction.atomic():
+                # Get a lock on this user's token row in db.
+                refreshed_token = TapisOAuthToken.objects.select_for_update().filter(user=self.user).first()
+                if self.is_token_expired(refreshed_token.created, refreshed_token.expires_in):
+                    try:
+                        logger.info('Refreshing tapis oauth token')
+                        client.refresh_tokens()
+                    except Exception:
+                        logger.exception('Tapis Token refresh failed')
+                        raise
+
+                    self.update(created=int(time.time()),
+                                access_token=client.access_token.access_token,
+                                expires_in=client.access_token.expires_in().total_seconds())
+                else:
+                    logger.info('Token updated by another request. Refreshing token from DB.')
+                    # Token is no longer expired, refresh latest token info from DB and update client
+                    self.refresh_from_db()
+                    client = self.build_client()
+
+        return client
+
+    def build_client(self):
+        return Tapis(
+            base_url=getattr(settings, "TAPIS_TENANT_BASEURL"),
+            client_id=getattr(settings, "TAPIS_CLIENT_ID"),
+            client_key=getattr(settings, "TAPIS_CLIENT_KEY"),
+            access_token=self.access_token,
+            refresh_token=self.refresh_token,
+        )
+
     def update(self, **kwargs):
         for k, v in kwargs.items():
             setattr(self, k, v)
@@ -107,3 +146,8 @@ def __str__(self):
         access_token_masked = self.access_token[-5:]
         refresh_token_masked = self.refresh_token[-5:]
         return f'access_token:{access_token_masked} refresh_token:{refresh_token_masked} expires_in:{self.expires_in} created:{self.created}'
+
+    @staticmethod
+    def is_token_expired(created, expires_in):
+        current_time = time.time()
+        return created + expires_in - current_time - TOKEN_EXPIRY_THRESHOLD <= 0

server/portal/settings/settings.py

@@ -724,6 +724,11 @@
 
 PORTAL_ELEVATED_ROLES = getattr(settings_custom, '_PORTAL_ELEVATED_ROLES', {})
 
+"""
+SETTINGS: OPTIONAL FEATURES. Edit settings_custom
+"""
+ENABLE_OPTIMIZED_OAUTH_REFRESH = getattr(settings_custom, '_ENABLE_OPTIMIZED_OAUTH_REFRESH', False)
+
 """
 SETTINGS: LOCAL OVERRIDES
 """