PEPPER-1063: Cleanup and refactoring of authentication code #2658

denniscunningham · 2023-08-18T18:16:49Z

A recent change to the authentication code meant DSM was no longer returning a response body for expired tokens (so DSM requesters had no way of knowing why authentication failed). Also, the expired token error continued to alert on Prod.

This PR fixes that issue, but also expands to normalize DSM's response to authentication issues. The intent is to ensure errors are getting logged at the appropriate level, and requesters are getting the correct status code and a response body describing the problem. The approach was largely to detangle the exception handling, logging and return protocols into something more coherent and consistent, but also includes new/updated method Java doc, and some selective cleanup in code that was poorly structured and/or particularly difficult to read. (There is more cleanup to do, but it makes sense to let these changes settle first.)

Checklist

I have labeled the type of changes involved using the C-* labels.
I have assessed potential risks and labeled using the R-* labels.
I have considered error handling and alerts, and added L-* labels as needed.
I have considered security and privacy, and added I-* labels as needed
I have analyzed my changes for stability, fault tolerance, graceful degradation, performance bottlenecks and written a brief summary in this PR.
If applicable, I have discussed the analytics needs at both a platform and study level with Product and instrumented code accordingly.
If applicable, my UI/UX changes have passed muster with Product/Design via an over-the-shoulder review, screenshots, etc.

If unsure or need help with any of the above items, add the help wanted label. For items that starts with If applicable, if it is not applicable, check it off and add n/a in front.

FUD Score

Overall, how are you feeling about these changes?

☺️ All good, business as usual!
😅 There might be some issues here
😱 I'm sweaty and nervous

How do we demo these changes?

How does one observe these changes in a deployed system? Note that user visible encompasses many personas--not just patients and study staff, but also ops duty, your fellow devs, compliance, etc.

They are user-visible in dev as a regular user journey and require no additional instructions.
Getting dev into a state where this is user-visible requires some tech fiddling. I have documented these steps in the related ticket.
Requires other features before it's human visible. I have documented the blocking issues in jira.
I have no idea how to demo this. Please help me!

Testing

I have written automated positive tests
I have written automated negative tests
I have written zero automated tests but have poked around locally to verify proper functionality
The jira ticket has acceptance criteria and QA has the needed information to test changes

Release

These changes require no special release procedures--just code!
Releasing these changes requires special handling and I have documented the special procedures in the release plan document