[No Ticket] [Level-Up-Time] Remove access token from external login unauthenticated session

[cslzchen]

Purpose

The mystery why CAS releases a special access token to OSF who then stores it in the current authenticated session has been solved during ENG-1013 with CAS-PR-160. We happily discovered that this access token is quite important and serves as the ONLY way for OSF to list all of a user's authorized apps (sadly, not enabled / used by current OSF).

This short hackathon PR removes access token from the unauthenticated session of an external login. In addition, it improves the code | style | comments | docstrings where this access token is used in OSF.

Changes

It is recommended to review the changes commit by commit.

https://github.com/CenterForOpenScience/osf.io/pull/9156/commits/2b5a1fe9bdd011dd0e3900cf8be84e4ed398bc16

A refactor of comments, docstrings and style for make_response_from_ticket(), which has no functionality effect. This commit simply lets us have a better code diff for the next one which is functional.

https://github.com/CenterForOpenScience/osf.io/pull/9156/commits/726eb15f3032c1766d837cd2371fb8d1ac9a2c05

• Keep the access token for normal OSF login authenticated session
• Removed the access token from the external login unauthenticated session
• Updated docstring and removed confusing TODO comments
• Fixed unit tests

QA Notes

Dev QA

Documentation

N / A

Side Effects

N / A

Ticket

N / A

[pattisdr]

thanks @cslzchen, I'll take a look at this. Especially happy about the useful docstrings -