TUI authentication fix (#604)

tieneupin · web-flow · commit 041056efffaf · 2025-06-10T12:42:37.000+01:00
* Added 'allow_user_token' to security config to enable verification using the simpler 'user' token
* Added messages when starting up Murfey TUI to describe why it fails to connect to server
diff --git a/src/murfey/client/__init__.py b/src/murfey/client/__init__.py
@@ -275,9 +275,20 @@ def run():
     rich_handler.setLevel(logging.DEBUG if args.debug else logging.INFO)
 
     # Set up websocket app and handler
-    client_id = requests.get(
+    client_id_response = requests.get(
         f"{murfey_url.geturl()}{url_path_for('session_control.router', 'new_client_id')}"
-    ).json()
+    )
+    if client_id_response.status_code == 401:
+        exit(
+            "This instrument is not authorised to run the TUI app; please use the "
+            "Murfey web UI instead"
+        )
+    elif client_id_response.status_code != 200:
+        exit(
+            "Unable to establish connection to Murfey server: \n"
+            f"{client_id_response.json()}"
+        )
+    client_id: dict = client_id_response.json()
     ws = murfey.client.websocket.WSApp(
         server=args.server,
         id=client_id["new_id"],
diff --git a/src/murfey/instrument_server/__init__.py b/src/murfey/instrument_server/__init__.py
@@ -7,6 +7,7 @@
 
 import murfey
 import murfey.client.update
+import murfey.client.websocket
 from murfey.client.customlogging import CustomHandler
 from murfey.util import LogFilter
 from murfey.util.client import read_config
diff --git a/src/murfey/server/api/auth.py b/src/murfey/server/api/auth.py
@@ -175,12 +175,16 @@ async def validate_instrument_token(
             if expiry_time := decoded_data.get("expiry_time"):
                 if expiry_time < time.time():
                     raise JWTError
+            # Check that the decoded session corresponds to the visit
             elif decoded_data.get("session") is not None:
-                # Check that the decoded session corresponds to the visit
                 if not validate_session_against_visit(
                     decoded_data["session"], decoded_data["visit"]
                 ):
                     raise JWTError
+            # Verify 'user' token if enabled
+            elif security_config.allow_user_token:
+                if not decoded_data.get("user"):
+                    raise JWTError
             else:
                 raise JWTError
     except JWTError:
diff --git a/src/murfey/util/config.py b/src/murfey/util/config.py
@@ -124,13 +124,14 @@ class Security(BaseModel):
     ispyb_credentials: Optional[Path] = None
 
     # Murfey server connection settings
+    auth_url: str = ""
+    auth_type: Literal["password", "cookie"] = "password"
     auth_algorithm: str = ""
     auth_key: str = ""
-    auth_type: Literal["password", "cookie"] = "password"
-    auth_url: str = ""
-    instrument_auth_type: Literal["token", ""] = "token"
-    instrument_auth_url: str = ""
     cookie_key: str = ""
+    instrument_auth_url: str = ""
+    instrument_auth_type: Literal["token", ""] = "token"
+    allow_user_token: bool = False  # TUI 'user' token support
     session_validation: str = ""
     session_token_timeout: Optional[int] = None
     allow_origins: list[str] = ["*"]
