Disable fresh login check in auth engines that won't support it

data/users/__init__.py

@@ -187,6 +187,11 @@ class UserAuthentication(object):
     """ Returns whether this auth system supports using encrypted credentials. """
     return self.state.supports_encrypted_credentials
 
+  @property
+  def supports_fresh_login(self):
+    """ Returns whether this auth system supports the fresh login check. """
+    return self.state.supports_fresh_login
+
   def query_users(self, query, limit=20):
     """ Performs a lookup against the user system for the specified query. The returned tuple
         will be of the form (results, federated_login_id, err_msg). If the method is unsupported,

data/users/apptoken.py

@@ -12,6 +12,10 @@ class AppTokenInternalAuth(object):
   """ Forces all internal credential login to go through an app token, by disabling all other
       access.
   """
+  @property
+  def supports_fresh_login(self):
+    # Since there is no password.
+    return False
 
   @property
   def federated_service(self):

data/users/database.py

@@ -5,6 +5,10 @@ class DatabaseUsers(object):
   def federated_service(self):
     return None
 
+  @property
+  def supports_fresh_login(self):
+    return True
+
   def ping(self):
     """ Always assumed to be working. If the DB is broken, other checks will handle it. """
     return (True, None)

data/users/federated.py

@@ -24,6 +24,10 @@ class FederatedUsers(object):
   def federated_service(self):
     return self._federated_service
 
+  @property
+  def supports_fresh_login(self):
+    return True
+
   @property
   def supports_encrypted_credentials(self):
     return True

endpoints/api/__init__.py

@@ -10,7 +10,7 @@ from flask_restful import Resource, abort, Api, reqparse
 from flask_restful.utils.cors import crossdomain
 from jsonschema import validate, ValidationError
 
-from app import app, metric_queue
+from app import app, metric_queue, authentication
 from auth.permissions import (ReadRepositoryPermission, ModifyRepositoryPermission,
                               AdministerRepositoryPermission, UserReadPermission,
                               UserAdminPermission)
@@ -300,7 +300,8 @@ def require_fresh_login(func):
     last_login = session.get('login_time', datetime.datetime.min)
     valid_span = datetime.datetime.now() - datetime.timedelta(minutes=10)
 
-    if not user.password_hash or last_login >= valid_span:
+    if (not user.password_hash or last_login >= valid_span or
+        not authentication.supports_fresh_login):
       return func(*args, **kwargs)
 
     raise FreshLoginRequired()