From 6411a375baee3313236e93cc445a970640198895 Mon Sep 17 00:00:00 2001
From: Andrew Godwin <andrew@aeracode.org>
Date: Thu, 2 Mar 2023 10:22:37 -0700
Subject: [PATCH] Allow API access with cookies again

---
 api/decorators.py | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/api/decorators.py b/api/decorators.py
index 4a93715..09550ee 100644
--- a/api/decorators.py
+++ b/api/decorators.py
@@ -32,12 +32,18 @@ def scope_required(scope: str, requires_identity=True):
         @wraps(function)
         def inner(request, *args, **kwargs):
             if not request.token:
-                return JsonResponse({"error": "identity_token_required"}, status=401)
+                if request.identity:
+                    # They're just logged in via cookie - give full access
+                    pass
+                else:
+                    return JsonResponse(
+                        {"error": "identity_token_required"}, status=401
+                    )
+            elif not request.token.has_scope(scope):
+                return JsonResponse({"error": "out_of_scope_for_token"}, status=403)
             # They need an identity
             if not request.identity and requires_identity:
                 return JsonResponse({"error": "identity_token_required"}, status=401)
-            if not request.token.has_scope(scope):
-                return JsonResponse({"error": "out_of_scope_for_token"}, status=403)
             return function(request, *args, **kwargs)
 
         inner.csrf_exempt = True  # type:ignore