Improve handling of authorization errors

README.md

@@ -112,17 +112,6 @@ curl -s 'https://api.github.com/repos/paulscherrerinstitute/scicat-cli/releases/
 
 The latest binaries will be downloaded to `scicat-cli_*/`.
 
-### Beamline consoles
-
-Note: *Outdated instructions*
-
-Deploy linux versions to online beamline consoles (you need to have write access rights):
-
-```bash
-cd linux
-scp datasetArchiver datasetIngestor datasetRetriever  datasetGetProposal datasetCleaner SciCat egli@gfa-lc.psi.ch:/work/sls/bin/
-```
-
 ### PBAIngest Server
 
 Deploy linux versions to the ingest server pbaingest01. This is usually done by Michael
@@ -137,5 +126,5 @@ curl -s https://api.github.com/repos/paulscherrerinstitute/scicat-cli/releases/l
 | tr -d \" \
 | wget -qi -
 tar -xzf scicat-cli_*_Linux_x86_64.tar.gz
-chmod +x datasetIngestor datasetArchiver datasetGetProposal
+chmod +x scicat-cli
 ```

cmd/commands/authenticate.go

@@ -21,15 +21,8 @@ type Authenticator interface {
 type RealAuthenticator struct{}
 
 func (r RealAuthenticator) AuthenticateUser(httpClient *http.Client, APIServer string, username string, password string) (map[string]string, []string, error) {
-	user, groups, err := datasetUtils.AuthenticateUser(httpClient, APIServer, username, password, false)
-	if err != nil {
-		user, groups, err = datasetUtils.AuthenticateUser(httpClient, APIServer, username, password, true)
-		if err != nil {
-			return map[string]string{}, []string{}, err
-		}
-		datasetUtils.RunKinit(username, password) // PSI specific KerberOS user creation
-	}
-	return user, groups, err
+	// functional account login
+	return datasetUtils.AuthenticateUser(httpClient, APIServer, username, password, false)
 }
 
 func (r RealAuthenticator) GetUserInfoFromToken(httpClient *http.Client, APIServer string, token string) (map[string]string, []string, error) {

cmd/commands/root.go

@@ -34,11 +34,11 @@ func Execute() {
 func init() {
 	rootCmd.Flags().BoolP("toggle", "t", false, "Help message for toggle")
 
-	rootCmd.PersistentFlags().StringP("user", "u", "", "Defines optional username:password string")
-	rootCmd.PersistentFlags().String("token", "", "Defines optional API token instead of username:password")
 	rootCmd.PersistentFlags().StringP("config", "c", "", "A path to a config file for connecting to SciCat and transfer services")
 	rootCmd.PersistentFlags().StringP("scicat-url", "s", "", "The scicat url to use. Note: it'll overwrite any built-in environments.")
-	rootCmd.PersistentFlags().Bool("oidc", false, "Use OIDC for login instead of internal user")
+	rootCmd.PersistentFlags().StringP("user", "u", "", "Authenticate using a functional account as a username:password string.")
+	rootCmd.PersistentFlags().String("token", "", "Authenticate using a scicat API token")
+	rootCmd.PersistentFlags().Bool("oidc", false, "Authenticate in a local browser")
 	rootCmd.PersistentFlags().BoolP("version", "v", false, "Show version")
 
 	rootCmd.MarkFlagsMutuallyExclusive("token", "oidc")

datasetUtils/authenticateUser.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"log"
 	"net/http"
 )
 
@@ -36,7 +37,22 @@ func newLoginRequestJson(username string, password string) ([]byte, error) {
 	return json.Marshal(l)
 }
 
+func getMessageFromErrorResponse(body string) string {
+	var parsed map[string]interface{}
+	if err := json.Unmarshal([]byte(body), &parsed); err != nil {
+		return body
+	}
+	if message, ok := parsed["message"].(string); ok {
+		return message
+	}
+	return body
+}
+
 func AuthenticateUser(client *http.Client, APIServer string, username string, password string, ldapLogin bool) (map[string]string, []string, error) {
+	if ldapLogin {
+		return map[string]string{}, []string{}, fmt.Errorf("LDAP login is not supported by scicat v4. Use a token or functional account.")
+	}
+
 	loginReqJson, err := newLoginRequestJson(username, password)
 	if err != nil {
 		return map[string]string{}, []string{}, err
@@ -60,9 +76,15 @@ func AuthenticateUser(client *http.Client, APIServer string, username string, pa
 	if resp.StatusCode != 201 {
 		body, err := io.ReadAll(resp.Body)
 		if err != nil {
-			return map[string]string{}, []string{}, fmt.Errorf("error when logging in: unknown error (can't parse body)")
+			return map[string]string{}, []string{}, fmt.Errorf("error when logging in: got status %d from the server during login", resp.StatusCode)
+		}
+
+		msg := getMessageFromErrorResponse(string(body))
+
+		if resp.StatusCode == 401 {
+			log.Println("Unauthorized access. Either the username/password is incorrect or the user is not a functional account.")
 		}
-		return map[string]string{}, []string{}, fmt.Errorf("error when logging in: '%s'", string(body))
+		return map[string]string{}, []string{}, fmt.Errorf("error when logging in: '%s'", msg)
 	}
 
 	respJson, err := io.ReadAll(resp.Body)