DiamondLightSource
diff --git a/‎src/murfey/server/api/auth.py‎
Lines changed: 194 additions & 98 deletions b/‎src/murfey/server/api/auth.py‎
Lines changed: 194 additions & 98 deletions
diff --git a/‎src/murfey/server/api/file_manip.py‎
Lines changed: 2 additions & 1 deletion b/‎src/murfey/server/api/file_manip.py‎
Lines changed: 2 additions & 1 deletion
@@ -8,7 +8,6 @@
 
 import aiohttp
 import requests
-from backports.entry_points_selectable import entry_points
 from fastapi import APIRouter, Depends, HTTPException, Request, status
 from fastapi.security import HTTPBearer, OAuth2PasswordBearer, OAuth2PasswordRequestForm
 from jose import JWTError, jwt
@@ -78,20 +77,6 @@ async def __call__(self, request: Request):
 
 instrument_server_tokens: Dict[float, dict] = {}
 
-
-"""
-HELPER FUNCTIONS
-"""
-
-
-def verify_password(plain_password: str, hashed_password: str) -> bool:
-    return pwd_context.verify(plain_password, hashed_password)
-
-
-def hash_password(password: str) -> str:
-    return pwd_context.hash(password)
-
-
 # Set up database engine
 try:
     _url = url(security_config)
@@ -100,22 +85,19 @@ def hash_password(password: str) -> str:
     engine = None
 
 
-def validate_user(username: str, password: str) -> bool:
-    try:
-        with Session(engine) as murfey_db:
-            user = murfey_db.exec(select(User).where(User.username == username)).one()
-    except Exception:
-        return False
-    return verify_password(password, user.hashed_password)
+def hash_password(password: str) -> str:
+    return pwd_context.hash(password)
 
 
-def validate_visit(visit_name: str, token: str) -> bool:
-    if validators := entry_points().select(
-        group="murfey.auth.session_validation",
-        name=security_config.auth_type,
-    ):
-        return validators[0].load()(visit_name, token)
-    return True
+"""
+=======================================================================================
+TOKEN VALIDATION FUNCTIONS
+=======================================================================================
+
+Functions and helpers used to validate incoming requests from both the client and
+the frontend. 'validate_token()' and 'validate_instrument_token()' are imported
+int the other FastAPI modules and attached as dependencies to the routers.
+"""
 
 
 def check_user(username: str) -> bool:
@@ -127,75 +109,75 @@ def check_user(username: str) -> bool:
     return username in [u.username for u in users]
 
 
-def validate_instrument_server_session_token(session_id: int, visit: str):
-    with Session(engine) as murfey_db:
-        session_data = murfey_db.exec(
-            select(MurfeySession).where(MurfeySession.id == session_id)
-        ).all()
-    if len(session_data) != 1:
-        return False
-    return visit == session_data[0].visit
-
-
 async def validate_token(token: Annotated[str, Depends(oauth2_scheme)]):
+    """
+    Used by the backend routers to validate requests coming in from frontend.
+    """
     try:
-        try:
-            if security_config.auth_type == "password":
-                await validate_password_token(token)
-        except JWTError:
-            await validate_instrument_token(token)
-        decoded_data = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
-        # first check if the token has expired
-        if expiry_time := decoded_data.get("expiry_time"):
-            if expiry_time < time.time():
-                raise JWTError
-        if decoded_data.get("user"):
-            if not check_user(decoded_data["user"]):
-                raise JWTError
-        elif decoded_data.get("session") is not None:
-            if not validate_instrument_server_session_token(
-                decoded_data["session"], decoded_data["visit"]
-            ):
+        # Validate using auth URL if provided; will error if invalid
+        if auth_url:
+            headers = (
+                {}
+                if security_config.auth_type == "cookie"
+                else {"Authorization": f"Bearer {token}"}
+            )
+            cookies = (
+                {security_config.cookie_key: token}
+                if security_config.auth_type == "cookie"
+                else {}
+            )
+            async with aiohttp.ClientSession(cookies=cookies) as session:
+                async with session.get(
+                    f"{auth_url}/validate_token",
+                    headers=headers,
+                ) as response:
+                    success = response.status == 200
+                    validation_outcome = await response.json()
+            if not (success and validation_outcome.get("valid")):
                 raise JWTError
+        # Auth URL MUST be provided if authenticating using cookies
         else:
-            raise JWTError
+            if security_config.auth_type == "cookie":
+                raise JWTError
+
+        # Validate using password
+        if security_config.auth_type == "password":
+            decoded_data = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
+            # Frontend validation
+            if decoded_data.get("user"):
+                if not check_user(decoded_data["user"]):
+                    raise JWTError
+
     except JWTError:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="Could not validate credentials",
+            detail="Could not validate credentials from frontend",
             headers={"WWW-Authenticate": "Bearer"},
         )
     return None
 
 
-async def validate_password_token(token: Annotated[str, Depends(oauth2_scheme)]):
-    if auth_url:
-        headers = (
-            {}
-            if security_config.auth_type == "cookie"
-            else {"Authorization": f"Bearer {token}"}
-        )
-        cookies = (
-            {security_config.cookie_key: token}
-            if security_config.auth_type == "cookie"
-            else {}
-        )
-        async with aiohttp.ClientSession(cookies=cookies) as session:
-            async with session.get(
-                f"{auth_url}/validate_token",
-                headers=headers,
-            ) as response:
-                success = response.status == 200
-                validation_outcome = await response.json()
-        if not (success and validation_outcome.get("valid")):
-            raise JWTError
-    return None
+def validate_session_against_visit(session_id: int, visit: str):
+    """
+    Checks that the session ID is associated with the claimed visit.
+    """
+    with Session(engine) as murfey_db:
+        session_data = murfey_db.exec(
+            select(MurfeySession).where(MurfeySession.id == session_id)
+        ).all()
+    if len(session_data) != 1:
+        return False
+    return visit == session_data[0].visit
 
 
 async def validate_instrument_token(
     token: Annotated[str, Depends(instrument_oauth2_scheme)]
 ):
+    """
+    Used by the backend routers to check the incoming instrument server token.
+    """
     try:
+        # Validate using auth URL if provided
         if security_config.instrument_auth_url:
             async with aiohttp.ClientSession() as session:
                 headers = (
@@ -212,33 +194,105 @@ async def validate_instrument_token(
             if not (success and validation_outcome.get("valid")):
                 raise JWTError
         else:
-            if validators := entry_points().select(
-                group="murfey.auth.token_validation",
-                name=security_config.auth_type,
-            ):
-                validators[0].load()(token)
+            # First, check if the token has expired
+            decoded_data = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
+            if expiry_time := decoded_data.get("expiry_time"):
+                if expiry_time < time.time():
+                    raise JWTError
+            elif decoded_data.get("session") is not None:
+                # Check that the decoded session corresponds to the visit
+                if not validate_session_against_visit(
+                    decoded_data["session"], decoded_data["visit"]
+                ):
+                    raise JWTError
             else:
                 raise JWTError
     except JWTError:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="Could not validate credentials",
+            detail="Could not validate credentials from instrument",
             headers={"WWW-Authenticate": "Bearer"},
         )
     return None
 
 
+"""
+=======================================================================================
+VALIDATING SESSION IDS
+=======================================================================================
+
+Annotated ints are defined here that trigger validation of the session IDs in incoming
+requests, verifying that the session is allowed to access the particular visit.
+
+The 'MurfeySessionID...' types are imported and used in the type hints of the endpoint
+functions in the other FastAPI routers, depending on whether requests from the frontend
+or the instrument are expected.
+"""
+
+
+async def validate_visit(visit_name: str, token: str, instrument_access: bool) -> bool:
+    """
+    Validates the incoming token depending on whether it's from the instrument or the frontend
+    """
+
+    # If this token is from the instrument server, validate this way
+    if instrument_access:
+        if security_config.instrument_auth_url:
+            async with aiohttp.ClientSession() as session:
+                headers = (
+                    {}
+                    if not security_config.instrument_auth_type
+                    else {"Authorization": f"Bearer {token}"}
+                )
+                async with session.get(
+                    f"{security_config.instrument_auth_url}/validate_visit_access/{visit_name}",
+                    headers=headers,
+                ) as response:
+                    success = response.status == 200
+                    validation_outcome = await response.json()
+            if not (success and validation_outcome.get("valid")):
+                return False
+    # Otherwise, use this validation method
+    else:
+        if security_config.auth_url:
+            headers = (
+                {}
+                if security_config.auth_type == "cookie"
+                else {"Authorization": f"Bearer {token}"}
+            )
+            cookies = (
+                {security_config.cookie_key: token}
+                if security_config.auth_type == "cookie"
+                else {}
+            )
+            async with aiohttp.ClientSession(cookies=cookies) as session:
+                async with session.get(
+                    f"{auth_url}/validate_visit_access/{visit_name}",
+                    headers=headers,
+                ) as response:
+                    success = response.status == 200
+                    validation_outcome = await response.json()
+            if not (success and validation_outcome.get("valid")):
+                return False
+    return True
+
+
 async def validate_session_access(
-    session_id: int, token: Annotated[str, Depends(oauth2_scheme)]
+    session_id: int,
+    token: Annotated[str, Depends(oauth2_scheme)],
+    instrument_access: bool,
 ) -> int:
-    await validate_token(token)
+    """
+    Validates whether the request is authorised to access information about this session
+    """
     with Session(engine) as murfey_db:
         visit_name = (
             murfey_db.exec(select(MurfeySession).where(MurfeySession.id == session_id))
             .one()
             .visit
         )
-    if not validate_visit(visit_name, token):
+    validated = await validate_visit(visit_name, token, instrument_access)
+    if not validated:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
             detail="You do not have access to this visit",
@@ -247,9 +301,53 @@ async def validate_session_access(
     return session_id
 
 
-class Token(BaseModel):
-    access_token: str
-    token_type: str
+def validate_session_access_wrapper(instrument_access: bool):
+    """
+    Factory that returns an async wrapper arond 'validate_session_access' with the
+    'instrument_access' field preconfigured.
+
+    This is used to generate FastAPI-compatible dependencies for validating session
+    access, based on the context of the request.
+
+    Unlike 'functools.partial', this approach preserves introspection compatibility
+    required by FastAPI for dependency resolution and OpenAPI generation.
+    """
+
+    async def _validate(session_id: int, token: Annotated[str, Depends(oauth2_scheme)]):
+        return await validate_session_access(
+            session_id, token, instrument_access=instrument_access
+        )
+
+    return _validate
+
+
+# Set validation conditions for the session ID based on where the request is from
+MurfeySessionIDFrontend = Annotated[
+    int, Depends(validate_session_access_wrapper(instrument_access=False))
+]
+MurfeySessionIDInstrument = Annotated[
+    int, Depends(validate_session_access_wrapper(instrument_access=True))
+]
+
+
+"""
+=======================================================================================
+API ENDPOINTS AND HELPER FUNCTIONS/CLASSES
+=======================================================================================
+"""
+
+
+def verify_password(plain_password: str, hashed_password: str) -> bool:
+    return pwd_context.verify(plain_password, hashed_password)
+
+
+def validate_user(username: str, password: str) -> bool:
+    try:
+        with Session(engine) as murfey_db:
+            user = murfey_db.exec(select(User).where(User.username == username)).one()
+    except Exception:
+        return False
+    return verify_password(password, user.hashed_password)
 
 
 def create_access_token(data: dict, token: str = "") -> str:
@@ -274,11 +372,9 @@ def create_access_token(data: dict, token: str = "") -> str:
     return encoded_jwt
 
 
-MurfeySessionID = Annotated[int, Depends(validate_session_access)]
-
-"""
-API ENDPOINTS
-"""
+class Token(BaseModel):
+    access_token: str
+    token_type: str
 
 
 @router.post("/token")
@@ -313,7 +409,7 @@ async def generate_token(
 
 
 @router.get("/sessions/{session_id}/token")
-async def mint_session_token(session_id: MurfeySessionID, db=murfey_db):
+async def mint_session_token(session_id: MurfeySessionIDFrontend, db=murfey_db):
     visit = (
         db.exec(select(MurfeySession).where(MurfeySession.id == session_id)).one().visit
     )
 
@@ -8,7 +8,8 @@
 from sqlmodel import select
 from werkzeug.utils import secure_filename
 
-from murfey.server.api.auth import MurfeySessionID, validate_instrument_token
+from murfey.server.api.auth import MurfeySessionIDInstrument as MurfeySessionID
+from murfey.server.api.auth import validate_instrument_token
 from murfey.server.gain import Camera, prepare_eer_gain, prepare_gain
 from murfey.server.murfey_db import murfey_db
 from murfey.util import sanitise, secure_path