Contact authInfo should not be visible to all registrars in <info> flows

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=133960014

java/google/registry/flows/contact/ContactInfoFlow.java

@@ -21,6 +21,7 @@ import static google.registry.model.eppoutput.Result.Code.SUCCESS;
 
 import com.google.common.base.Optional;
 import google.registry.flows.EppException;
+import google.registry.flows.FlowModule.ClientId;
 import google.registry.flows.FlowModule.TargetId;
 import google.registry.flows.LoggedInFlow;
 import google.registry.model.contact.ContactResource;
@@ -33,12 +34,14 @@ import javax.inject.Inject;
  *
  * <p>The response includes the contact's postal info, phone numbers, emails, the authInfo which can
  * be used to request a transfer and the details of the contact's most recent transfer if it has
- * ever been transferred. Any registrar can see any contact's information.
+ * ever been transferred. Any registrar can see any contact's information, but the authInfo is only
+ * visible to the registrar that owns the contact or to a registrar that already supplied it.
  *
  * @error {@link google.registry.flows.exceptions.ResourceToQueryDoesNotExistException}
  */
 public final class ContactInfoFlow extends LoggedInFlow {
 
+  @Inject @ClientId String clientId;
   @Inject @TargetId String targetId;
   @Inject Optional<AuthInfo> authInfo;
   @Inject ContactInfoFlow() {}
@@ -47,6 +50,9 @@ public final class ContactInfoFlow extends LoggedInFlow {
   public final EppOutput run() throws EppException {
     ContactResource contact = loadResourceForQuery(ContactResource.class, targetId, now);
     verifyOptionalAuthInfoForResource(authInfo, contact);
+    if (!clientId.equals(contact.getCurrentSponsorClientId()) && !authInfo.isPresent()) {
+      contact = contact.asBuilder().setAuthInfo(null).build();
+    }
     return createOutput(SUCCESS, cloneResourceWithLinkedStatus(contact, now));
   }
 }