in rest-lib/src/main/scala/com/gu/mediaservice/lib/auth/Authentication.scala [46:73]
def authenticationStatus(requestHeader: RequestHeader, gracePeriodCountsAsAuthenticated: Boolean): Either[Future[Result], Principal] = {
def flushToken(resultWhenAbsent: Result): Result = {
providers.userProvider.flushToken.fold(resultWhenAbsent)(_(requestHeader, resultWhenAbsent))
}
// Authenticate request. Try with inner service authenticator first, then with API authenticator, and finally with user authenticator
providers.innerServiceProvider.authenticateRequest(requestHeader) match {
case Authenticated(authedUser) => Right(authedUser)
case Invalid(message, throwable) => Left(unauthorised(message, throwable))
case NotAuthorised(message) => Left(forbidden(s"Principal not authorised: $message")) // TODO: see if we can avoid repetition
case NotAuthenticated =>
providers.apiProvider.authenticateRequest(requestHeader) match {
case Authenticated(authedUser) => Right(authedUser)
case Invalid(message, throwable) => Left(unauthorised(message, throwable))
case NotAuthorised(message) => Left(forbidden(s"Principal not authorised: $message"))
case NotAuthenticated =>
providers.userProvider.authenticateRequest(requestHeader) match {
case NotAuthenticated => Left(unauthorised("Not authenticated"))
case Expired(principal) => Left(expired(principal))
case GracePeriod(principal) if gracePeriodCountsAsAuthenticated => Right(principal)
case GracePeriod(principal) => Left(expired(principal))
case Authenticated(authedUser) => Right(authedUser)
case Invalid(message, throwable) => Left(unauthorised(message, throwable).map(flushToken))
case NotAuthorised(message) => Left(forbidden(s"Principal not authorised: $message"))
}
}
}
}