[Workbench] API token provided in query string should not be ignored just because the session already has a token.
- Log in to Workbench.
- Visit any Workbench page ?api_token=123abc (or a valid token).
- The new token is ignored. You're still logged in as if you had never provided an api_token.
- As a bonus, the ?api_token=123abc is displayed in the location bar instead of being redirected away.
- throw away the existing token (if any) in the session
- use the new token from now on, whether or not it's valid
- redirect to the current page without the ?api_token param, to avoid having tokens sitting around in Location bars.
In other words, the presence of
session[:arvados_api_token] should not affect the process we use to copy a token from query string to session.
This may be a simple matter of reversing the order of the Thread and session tests here in
if Thread.current[:arvados_api_token] yield # An API token has already been found - pass it through. return elsif setup_user_session return # A new session was set up and received a response. end