Move auth URL to machine configuration for now so it can be used with…

… existing server setup (#369) Co-authored-by: Daniel Hatton <[email protected]>
DiamondLightSource · Oct 14, 2024 · 0c39bec · 0c39bec
1 parent df1497d
commit 0c39bec
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 9 deletions.
diff --git a/src/murfey/server/api/auth.py b/src/murfey/server/api/auth.py
@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+import os
 import secrets
 import time
 from logging import getLogger
@@ -18,7 +19,7 @@
 
 from murfey.server import sanitise
 from murfey.server.murfey_db import murfey_db, url
-from murfey.util.config import get_security_config
+from murfey.util.config import get_machine_config, get_security_config
 from murfey.util.db import MurfeyUser as User
 from murfey.util.db import Session as MurfeySession
 
@@ -63,6 +64,12 @@ async def __call__(self, request: Request):
 
 # Set up variables used for authentication
 security_config = get_security_config()
+machine_config = get_machine_config()
+auth_url = (
+    machine_config[os.getenv("BEAMLINE", "")].auth_url
+    if machine_config.get(os.getenv("BEAMLINE", ""))
+    else ""
+)
 ALGORITHM = security_config.auth_algorithm or "HS256"
 SECRET_KEY = security_config.auth_key or secrets.token_hex(32)
 if security_config.auth_type == "password":
@@ -156,7 +163,7 @@ def password_token_validation(token: str):
 
 async def validate_token(token: Annotated[str, Depends(oauth2_scheme)]):
     try:
-        if security_config.auth_url:
+        if auth_url:
             headers = (
                 {}
                 if security_config.auth_type == "cookie"
@@ -169,7 +176,7 @@ async def validate_token(token: Annotated[str, Depends(oauth2_scheme)]):
             )
             async with aiohttp.ClientSession(cookies=cookies) as session:
                 async with session.get(
-                    f"{security_config.auth_url}/validate_token",
+                    f"{auth_url}/validate_token",
                     headers=headers,
                 ) as response:
                     success = response.status == 200
@@ -218,13 +225,13 @@ class Token(BaseModel):
 
 
 def create_access_token(data: dict, token: str = "") -> str:
-    if security_config.auth_url and data.get("session"):
+    if auth_url and data.get("session"):
         session_id = data["session"]
         if not isinstance(session_id, int) and session_id > 0:
             # check the session ID is alphanumeric for security
             raise ValueError("Session ID was invalid (not alphanumeric)")
         minted_token_response = requests.get(
-            f"{security_config.auth_url}/sessions/{sanitise(str(session_id))}/token",
+            f"{auth_url}/sessions/{sanitise(str(session_id))}/token",
             headers={"Authorization": f"Bearer {token}"},
         )
         if minted_token_response.status_code != 200:
@@ -250,13 +257,13 @@ def create_access_token(data: dict, token: str = "") -> str:
 async def generate_token(
     form_data: Annotated[OAuth2PasswordRequestForm, Depends()],
 ) -> Token:
-    if security_config.auth_url:
+    if auth_url:
         data = aiohttp.FormData()
         data.add_field("username", form_data.username)
         data.add_field("password", form_data.password)
         async with aiohttp.ClientSession() as session:
             async with session.post(
-                f"{security_config.auth_url}/token",
+                f"{auth_url}/token",
                 data=data,
             ) as response:
                 validated = response.status == 200
@@ -270,7 +277,7 @@ async def generate_token(
             detail="Incorrect username or password",
             headers={"WWW-Authenticate": "Bearer"},
         )
-    if not security_config.auth_url:
+    if not auth_url:
         access_token = create_access_token(
             data={"user": form_data.username},
         )

diff --git a/src/murfey/util/config.py b/src/murfey/util/config.py
@@ -65,6 +65,7 @@ class MachineConfig(BaseModel):
     murfey_url: str = "http://localhost:8000"
 
     security_configuration_path: Optional[Path] = None
+    auth_url: str = ""
 
 
 def from_file(config_file_path: Path, instrument: str = "") -> Dict[str, MachineConfig]:
@@ -85,7 +86,6 @@ class Security(BaseModel):
     sqlalchemy_pooling: bool = True
     allow_origins: List[str] = ["*"]
     session_validation: str = ""
-    auth_url: str = ""
     session_token_timeout: Optional[int] = None
     auth_type: Literal["password", "cookie"] = "password"
     cookie_key: str = ""