From 9db80ae5788c0af4545befc1107bfc58f07b8448 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Tue, 26 May 2026 20:30:13 +0000
Subject: [PATCH 1/3] fix: use Bearer token only for EDC credentials auth
 header (fixes #148)

The combined 'Bearer {token},Basic {creds}' Authorization header caused
the LP DAAC S3 credentials endpoint to reject the request and redirect
to the EDL OAuth login page instead of returning credentials, resulting
in a JSONDecodeError when the empty/HTML response was parsed.

https://claude.ai/code/session_017YKqMqZHprcFmzXrt1p9HX
---
 api/endpoints/members.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/endpoints/members.py b/api/endpoints/members.py
index 3887831..077afe2 100755
--- a/api/endpoints/members.py
+++ b/api/endpoints/members.py
@@ -816,7 +816,7 @@ def get_edc_credentials(endpoint_uri, user_id):
 
     s.headers.update(
         {
-            'Authorization': f'Bearer {urs_token},Basic {settings.MAAP_EDL_CREDS}',
+            'Authorization': f'Bearer {urs_token}',
             'Connection': 'close'
         }
     )

From 9928d67eab69b6699038a490f0c7c931d49484e0 Mon Sep 17 00:00:00 2001
From: bsatoriu <27687558+bsatoriu@users.noreply.github.com>
Date: Wed, 27 May 2026 14:17:31 -0700
Subject: [PATCH 2/3] Improve EDL response handling and error logging

Remove edl_federated_request from s3 credentials flow and add error handling.
---
 api/endpoints/members.py | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/api/endpoints/members.py b/api/endpoints/members.py
index 077afe2..e022b6b 100755
--- a/api/endpoints/members.py
+++ b/api/endpoints/members.py
@@ -822,11 +822,20 @@ def get_edc_credentials(endpoint_uri, user_id):
     )
 
     endpoint = parse.unquote(endpoint_uri)
-    login_resp = s.get(endpoint, allow_redirects=False)
+    edl_response = s.get(endpoint, allow_redirects=False)
 
-    if login_resp.status_code == status.HTTP_307_TEMPORARY_REDIRECT:
-        edl_response = s.get(url=login_resp.headers['location'])
-    else:
-        edl_response = edl_federated_request(url=endpoint)
+    if not edl_response.ok:
+        log.error(f"EDL credentials request failed with status {edl_response.status_code} for endpoint {endpoint}: {edl_response.text}")
+        raise Exception(f"EDL credentials request failed with status {edl_response.status_code}")
 
-    return edl_response.json()
\ No newline at end of file
+    if not edl_response.text:
+        log.error(f"EDL credentials request returned empty response for endpoint {endpoint}")
+        raise Exception("EDL credentials request returned an empty response")
+
+    try:
+        return edl_response.json()
+    except requests.exceptions.JSONDecodeError:
+        log.error(f"EDL credentials response is not valid JSON for endpoint {endpoint}. "
+                   f"Content-Type: {edl_response.headers.get('Content-Type')}. "
+                   f"Response body: {edl_response.text[:500]}")
+        raise Exception("EDL credentials response is not valid JSON")

From cd8f6553f7133d29b9c32c1104dc517fe9863382 Mon Sep 17 00:00:00 2001
From: bsatoriu <bsatoriu@jpl.nasa.gov>
Date: Wed, 27 May 2026 14:27:58 -0700
Subject: [PATCH 3/3] Resolve SonarCloud warnings.

---
 api/endpoints/members.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/api/endpoints/members.py b/api/endpoints/members.py
index e022b6b..cc9b710 100755
--- a/api/endpoints/members.py
+++ b/api/endpoints/members.py
@@ -18,7 +18,7 @@
 from api.models.member_secret import MemberSecret as MemberSecret_db
 from api.schemas.member_schema import MemberSchema
 from api.schemas.member_session_schema import MemberSessionSchema
-from api.utils.security_utils import validate_ssh_key_file, sanitize_filename, InvalidFileTypeError, FileSizeTooLargeError, EmptyFileError
+from api.utils.security_utils import validate_ssh_key_file, sanitize_filename, InvalidFileTypeError, FileSizeTooLargeError, EmptyFileError, ExternalServiceError
 from api.utils.email_util import send_user_status_update_active_user_email, \
     send_user_status_update_suspended_user_email, send_user_status_change_email, \
     send_welcome_to_maap_active_user_email, send_welcome_to_maap_suspended_user_email
@@ -826,11 +826,11 @@ def get_edc_credentials(endpoint_uri, user_id):
 
     if not edl_response.ok:
         log.error(f"EDL credentials request failed with status {edl_response.status_code} for endpoint {endpoint}: {edl_response.text}")
-        raise Exception(f"EDL credentials request failed with status {edl_response.status_code}")
+        raise ExternalServiceError(f"EDL credentials request failed with status {edl_response.status_code}")
 
     if not edl_response.text:
         log.error(f"EDL credentials request returned empty response for endpoint {endpoint}")
-        raise Exception("EDL credentials request returned an empty response")
+        raise ExternalServiceError("EDL credentials request returned an empty response")
 
     try:
         return edl_response.json()
@@ -838,4 +838,4 @@ def get_edc_credentials(endpoint_uri, user_id):
         log.error(f"EDL credentials response is not valid JSON for endpoint {endpoint}. "
                    f"Content-Type: {edl_response.headers.get('Content-Type')}. "
                    f"Response body: {edl_response.text[:500]}")
-        raise Exception("EDL credentials response is not valid JSON")
+        raise ExternalServiceError("EDL credentials response is not valid JSON")