Added 'allow_user_token' to security config to enable verification using the simpler 'user' token; allows this looser verification to be switched on or off per instrument

Author: tieneupin

src/murfey/server/api/auth.py

@@ -181,9 +181,10 @@ async def validate_instrument_token(
                     decoded_data["session"], decoded_data["visit"]
                 ):
                     raise JWTError
-            # Check for Murfey TUI tokens (just a 'user' key)
-            elif decoded_data.get("user") is not None:
-                pass
+            # Verify 'user' token if enabled
+            elif security_config.allow_user_token:
+                if not decoded_data.get("user"):
+                    raise JWTError
             else:
                 raise JWTError
     except JWTError:

src/murfey/util/config.py

@@ -124,13 +124,14 @@ class Security(BaseModel):
     ispyb_credentials: Optional[Path] = None
 
     # Murfey server connection settings
+    auth_url: str = ""
+    auth_type: Literal["password", "cookie"] = "password"
     auth_algorithm: str = ""
     auth_key: str = ""
-    auth_type: Literal["password", "cookie"] = "password"
-    auth_url: str = ""
-    instrument_auth_type: Literal["token", ""] = "token"
-    instrument_auth_url: str = ""
     cookie_key: str = ""
+    instrument_auth_url: str = ""
+    instrument_auth_type: Literal["token", ""] = "token"
+    allow_user_token: bool = False  # TUI 'user' token support
     session_validation: str = ""
     session_token_timeout: Optional[int] = None
     allow_origins: list[str] = ["*"]