From 6b0a2d29b9d0ba4186b6e0db03daad64a374c7b7 Mon Sep 17 00:00:00 2001
From: Georgy Litvinov <georgy.litvinov@tib.eu>
Date: Mon, 29 Apr 2024 18:29:10 +0200
Subject: [PATCH] fix sparql api authentication

---
 .../vitro/webapp/controller/api/VitroApiServlet.java       | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/api/VitroApiServlet.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/api/VitroApiServlet.java
index 52951a8a9..52f1f5ba2 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/api/VitroApiServlet.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/api/VitroApiServlet.java
@@ -54,7 +54,12 @@ protected void confirmAuthorization(HttpServletRequest req,
 					+ "last names and a valid email address.");
 		}
 
-		if (!auth.isCurrentPasswordArgon2(account, password)) {
+		boolean credentialsProvided = auth.isCurrentPasswordArgon2(account, password);
+		//Check authorization if user is already authenticated or public access allowed
+		if (PolicyHelper.isAuthorizedForActions(req, requiredActions)) {
+		    return;
+		}
+		if (!credentialsProvided) {
 			log.debug("Invalid: '" + email + "'/'" + password + "'");
 			throw new AuthException("email/password combination is not valid");
 		}