[#1008] Get CPU and GPU temperature

carbonserver/carbonserver/api/errors.py

@@ -69,7 +69,9 @@ def get_http_exception(exception) -> HTTPException:
     take an internal exception and return a HTTPException
     """
     if isinstance(exception, UserException):
-        if isinstance(error := exception.error, NotAllowedError):
+        if isinstance(error := exception.error, UserError):
+            return HTTPException(status_code=401, detail=error.message)
+        elif isinstance(error := exception.error, NotAllowedError):
             return HTTPException(status_code=403, detail=error.message)
         elif isinstance(error := exception.error, NotFoundError):
             return HTTPException(status_code=404, detail=error.message)

carbonserver/carbonserver/api/routers/authenticate.py

@@ -34,9 +34,12 @@ def check_login(
     sign_up_service: SignUpService = Depends(Provide[ServerContainer.sign_up_service]),
 ):
     """
-    return user data or redirect to login screen
-    null value if not logged in
+    Return user data or null if not logged in.
+    Returns 401 if token is present but invalid/expired.
     """
+    if auth_user.auth_user is None:
+        return {"user": None}
+
     sign_up_service.check_jwt_user(auth_user.auth_user, create=True)
     return {"user": auth_user.auth_user}
 

carbonserver/carbonserver/api/services/auth_service.py

@@ -55,53 +55,69 @@ async def __call__(
     ):
         self.user_service = user_service
         if cookie_token is not None:
-            self.auth_user = jwt.decode(
+            self.auth_user = self._decode_cookie_token(cookie_token)
+        elif bearer_token is not None:
+            await self._validate_bearer_token(bearer_token, auth_provider)
+            self.auth_user = self._decode_bearer_token(bearer_token)
+        else:
+            self.auth_user = None
+            if self.error_if_not_found:
+                raise HTTPException(
+                    status_code=401,
+                    detail="No token provided, please log in",
+                )
+        self.db_user = self._get_db_user(user_service)
+        return self
+
+    def _decode_cookie_token(self, cookie_token: str):
+        try:
+            return jwt.decode(
                 cookie_token,
                 options={"verify_signature": False},
                 algorithms=["HS256", "RS256"],
             )
-        elif bearer_token is not None:
-            if settings.environment != "develop" and auth_provider is not None:
-                LOGGER.debug(
-                    f"Validating token with auth provider. Token: {bearer_token}"
-                )
-                try:
-                    await auth_provider.validate_access_token(bearer_token.credentials)
-                except Exception:
-                    raise HTTPException(status_code=401, detail="Invalid token")
-            # cli user using auth provider token
-            self.auth_user = jwt.decode(
+        except Exception:
+            raise HTTPException(401, "Session expired, please log in")
+
+    async def _validate_bearer_token(self, bearer_token, auth_provider):
+        if settings.environment != "develop" and auth_provider is not None:
+            try:
+                await auth_provider.validate_access_token(bearer_token.credentials)
+            except Exception:
+                raise HTTPException(status_code=401, detail="Invalid token")
+
+    def _decode_bearer_token(self, bearer_token) -> dict:
+        try:
+            auth_user = jwt.decode(
                 bearer_token.credentials,
                 options={"verify_signature": False},
-                algorithms=[
-                    "HS256",
-                    "RS256",
-                ],
+                algorithms=["HS256", "RS256"],
             )
-            if settings.environment == "develop":
-                try:
-                    # test user
-                    self.auth_user = jwt.decode(
-                        bearer_token.credentials,
-                        settings.jwt_key,
-                        algorithms=[
-                            "HS256",
-                            "RS256",
-                        ],
-                    )
-                except Exception:
-                    ...
-        else:
-            self.auth_user = None
-            if self.error_if_not_found:
-                raise HTTPException(status_code=401, detail="Unauthorized")
+        except Exception:
+            LOGGER.warning("Failed to decode bearer token")
+            raise HTTPException(
+                status_code=401,
+                detail="Invalid or expired token, please log in again",
+            )
+        if settings.environment == "develop":
+            try:
+                auth_user = jwt.decode(
+                    bearer_token.credentials,
+                    settings.jwt_key,
+                    algorithms=["HS256", "RS256"],
+                )
+            except Exception:
+                pass
+        return auth_user
 
+    def _get_db_user(self, user_service) -> Optional[dict]:
+        if self.auth_user is None:
+            return None
         try:
-            self.db_user = user_service.get_user_by_id(self.auth_user["sub"])
+            return user_service.get_user_by_id(self.auth_user["sub"])
         except Exception:
-            self.db_user = None
 
-        return self
+            return None
 
 
 OptionalUserWithAuthDependency = UserWithAuthDependency(error_if_not_found=False)

carbonserver/pyproject.toml

@@ -38,6 +38,7 @@ dependencies = [
     "fastapi-oidc>=0.0.9",
     "authlib>=1.6.6",
     "itsdangerous>=2.2.0",
+    "pytest-asyncio>=1.3.0",
 ]
 
 [project.optional-dependencies]

carbonserver/tests/api/routers/test_auth_fix.py

@@ -0,0 +1,44 @@
+"""
+Tests for issue #692 - missing/invalid tokens returning generic 500 error
+instead of proper 401.
+"""
+
+
+class TestGetHttpException:
+    """Tests for errors.py get_http_exception() - core fix for issue #692."""
+
+    def test_user_error_api_key_unknown_returns_401(self):
+        from carbonserver.carbonserver.api.errors import (
+            UserError,
+            UserErrorEnum,
+            UserException,
+            get_http_exception,
+        )
+
+        error = UserError(
+            code=UserErrorEnum.API_KEY_UNKNOWN, message="API key not found"
+        )
+        result = get_http_exception(UserException(error))
+        assert result.status_code == 401
+        assert result.detail == "API key not found"
+
+    def test_user_error_api_key_disabled_returns_401(self):
+        from carbonserver.carbonserver.api.errors import (
+            UserError,
+            UserErrorEnum,
+            UserException,
+            get_http_exception,
+        )
+
+        error = UserError(
+            code=UserErrorEnum.API_KEY_DISABLE, message="API key disabled"
+        )
+        result = get_http_exception(UserException(error))
+        assert result.status_code == 401
+
+    def test_generic_exception_returns_500_with_detail(self):
+        from carbonserver.carbonserver.api.errors import get_http_exception
+
+        result = get_http_exception(Exception("unexpected"))
+        assert result.status_code == 500
+        assert result.detail == "Internal Server Error"