From 2ea9beb84afe6a81a31335729ed8ad5a78ede836 Mon Sep 17 00:00:00 2001
From: Eu Pin Tien <eu-pin.tien@diamond.ac.uk>
Date: Mon, 9 Jun 2025 17:14:32 +0100
Subject: [PATCH 1/4] Import 'murfey.client.websocket' directly

---
 src/murfey/instrument_server/__init__.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/murfey/instrument_server/__init__.py b/src/murfey/instrument_server/__init__.py
index e6316a41a..8a7caf5c7 100644
--- a/src/murfey/instrument_server/__init__.py
+++ b/src/murfey/instrument_server/__init__.py
@@ -7,6 +7,7 @@
 
 import murfey
 import murfey.client.update
+import murfey.client.websocket
 from murfey.client.customlogging import CustomHandler
 from murfey.util import LogFilter
 from murfey.util.client import read_config

From 9f64b06cf3a749e9e915da2ff2fc2f9aa92811ff Mon Sep 17 00:00:00 2001
From: Eu Pin Tien <eu-pin.tien@diamond.ac.uk>
Date: Tue, 10 Jun 2025 09:42:14 +0100
Subject: [PATCH 2/4] Allow Murfey TUI tokens to pass for now

---
 src/murfey/server/api/auth.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/murfey/server/api/auth.py b/src/murfey/server/api/auth.py
index 4a61b2868..fb3f59bcf 100644
--- a/src/murfey/server/api/auth.py
+++ b/src/murfey/server/api/auth.py
@@ -175,12 +175,15 @@ async def validate_instrument_token(
             if expiry_time := decoded_data.get("expiry_time"):
                 if expiry_time < time.time():
                     raise JWTError
+            # Check that the decoded session corresponds to the visit
             elif decoded_data.get("session") is not None:
-                # Check that the decoded session corresponds to the visit
                 if not validate_session_against_visit(
                     decoded_data["session"], decoded_data["visit"]
                 ):
                     raise JWTError
+            # Check for Murfey TUI tokens (just a 'user' key)
+            elif decoded_data.get("user") is not None:
+                pass
             else:
                 raise JWTError
     except JWTError:

From a868c977d243e99e47696182fa0359a6653e18ea Mon Sep 17 00:00:00 2001
From: Eu Pin Tien <eu-pin.tien@diamond.ac.uk>
Date: Tue, 10 Jun 2025 11:30:53 +0100
Subject: [PATCH 3/4] Show messages describing why the TUI cannot connect to
 the server

---
 src/murfey/client/__init__.py | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/src/murfey/client/__init__.py b/src/murfey/client/__init__.py
index bbc900cfe..736c2a5ac 100644
--- a/src/murfey/client/__init__.py
+++ b/src/murfey/client/__init__.py
@@ -275,9 +275,20 @@ def run():
     rich_handler.setLevel(logging.DEBUG if args.debug else logging.INFO)
 
     # Set up websocket app and handler
-    client_id = requests.get(
+    client_id_response = requests.get(
         f"{murfey_url.geturl()}{url_path_for('session_control.router', 'new_client_id')}"
-    ).json()
+    )
+    if client_id_response.status_code == 401:
+        exit(
+            "This instrument is not authorised to run the TUI app; please use the "
+            "Murfey web UI instead"
+        )
+    elif client_id_response.status_code != 200:
+        exit(
+            "Unable to establish connection to Murfey server: \n"
+            f"{client_id_response.json()}"
+        )
+    client_id: dict = client_id_response.json()
     ws = murfey.client.websocket.WSApp(
         server=args.server,
         id=client_id["new_id"],

From 92acd0c3318f50036f7315ba037f7450052f745f Mon Sep 17 00:00:00 2001
From: Eu Pin Tien <eu-pin.tien@diamond.ac.uk>
Date: Tue, 10 Jun 2025 11:32:29 +0100
Subject: [PATCH 4/4] Added 'allow_user_token' to security config to enable
 verification using the simpler 'user' token; allows this looser verification
 to be switched on or off per instrument

---
 src/murfey/server/api/auth.py | 7 ++++---
 src/murfey/util/config.py     | 9 +++++----
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/src/murfey/server/api/auth.py b/src/murfey/server/api/auth.py
index fb3f59bcf..24fe07f5f 100644
--- a/src/murfey/server/api/auth.py
+++ b/src/murfey/server/api/auth.py
@@ -181,9 +181,10 @@ async def validate_instrument_token(
                     decoded_data["session"], decoded_data["visit"]
                 ):
                     raise JWTError
-            # Check for Murfey TUI tokens (just a 'user' key)
-            elif decoded_data.get("user") is not None:
-                pass
+            # Verify 'user' token if enabled
+            elif security_config.allow_user_token:
+                if not decoded_data.get("user"):
+                    raise JWTError
             else:
                 raise JWTError
     except JWTError:
diff --git a/src/murfey/util/config.py b/src/murfey/util/config.py
index 4c385d385..b07452bb7 100644
--- a/src/murfey/util/config.py
+++ b/src/murfey/util/config.py
@@ -124,13 +124,14 @@ class Security(BaseModel):
     ispyb_credentials: Optional[Path] = None
 
     # Murfey server connection settings
+    auth_url: str = ""
+    auth_type: Literal["password", "cookie"] = "password"
     auth_algorithm: str = ""
     auth_key: str = ""
-    auth_type: Literal["password", "cookie"] = "password"
-    auth_url: str = ""
-    instrument_auth_type: Literal["token", ""] = "token"
-    instrument_auth_url: str = ""
     cookie_key: str = ""
+    instrument_auth_url: str = ""
+    instrument_auth_type: Literal["token", ""] = "token"
+    allow_user_token: bool = False  # TUI 'user' token support
     session_validation: str = ""
     session_token_timeout: Optional[int] = None
     allow_origins: list[str] = ["*"]