diff --git a/backend/atlas_portal/routes/access_requests.py b/backend/atlas_portal/routes/access_requests.py index b688162..6842966 100644 --- a/backend/atlas_portal/routes/access_requests.py +++ b/backend/atlas_portal/routes/access_requests.py @@ -1056,18 +1056,23 @@ def register(app) -> None: actions_list: list[str] = [] if isinstance(actions, list): actions_list = [a for a in actions if isinstance(a, str)] - if "UPDATE_PASSWORD" not in actions_list: - actions_list.append("UPDATE_PASSWORD") - admin_client().update_user_safe(user_id, {"requiredActions": actions_list}) - conn.execute( - """ - INSERT INTO access_request_onboarding_artifacts (request_code, artifact, value_hash) - VALUES (%s, %s, NOW()::text) - ON CONFLICT (request_code, artifact) DO NOTHING - """, - (code, _KEYCLOAK_PASSWORD_ROTATION_REQUESTED_ARTIFACT), - ) + rotation_requested = _password_rotation_requested(conn, code) + already_rotated = rotation_requested and "UPDATE_PASSWORD" not in actions_list + + if not already_rotated: + if "UPDATE_PASSWORD" not in actions_list: + actions_list.append("UPDATE_PASSWORD") + admin_client().update_user_safe(user_id, {"requiredActions": actions_list}) + if not rotation_requested: + conn.execute( + """ + INSERT INTO access_request_onboarding_artifacts (request_code, artifact, value_hash) + VALUES (%s, %s, NOW()::text) + ON CONFLICT (request_code, artifact) DO NOTHING + """, + (code, _KEYCLOAK_PASSWORD_ROTATION_REQUESTED_ARTIFACT), + ) onboarding_payload = _onboarding_payload(conn, code, request_username) except Exception: