From 4a3910f058f7bff765740c73f8e667c01cd7f72f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matheus=20Lu=C3=ADs?= <matheus.bernardi@lnls.br>
Date: Wed, 14 May 2025 13:44:25 -0300
Subject: [PATCH 1/2] ENH: Support base_url parameter in
 ServerBasedAPIAccessControl

---
 .../authorization/api_access.py               | 39 ++++++++++++++-----
 1 file changed, 29 insertions(+), 10 deletions(-)

diff --git a/bluesky_httpserver/authorization/api_access.py b/bluesky_httpserver/authorization/api_access.py
index b4f00ff..8ba3912 100644
--- a/bluesky_httpserver/authorization/api_access.py
+++ b/bluesky_httpserver/authorization/api_access.py
@@ -469,10 +469,20 @@ def __init__(self, *, roles=None, users=None):
     type: string
   roles:  # Detailed validation is performed elsewhere
     description: The value is passed to BasicAPIAccessControl object
-  server:
-    type: string
-  port:
-    type: integer
+  oneOf:
+    - properties:
+        base_url:
+          type: string
+      required:
+        - base_url
+    - properties:
+        server:
+          type: string
+        port:
+          type: integer
+      required:
+        - server
+        - port
   update_period:
     type: integer
   expiration_period:
@@ -528,11 +538,17 @@ class ServerBasedAPIAccessControl(BasicAPIAccessControl):
     roles: dict or None, optional
         The dictionary that defines new and/or modifies existing roles. The dictionary
         is passed to the ``BasicAPIAccessControl`` constructor. Default: ``None``.
+    base_url: str, optional
+        The base URL for the Access Control server, such as
+        ``'http://accesscontrol.server.com:8000'``. If provided, this parameter is used
+        instead of the `server` and `port` parameters.
     server: str, optional
         Access Control server address, such as ``'accesscontrol.server.com'`` or
-        ``'110.43.6.45'``. The default address is ``localhost``.
+        ``'110.43.6.45'``. This parameter is used only if `base_url` is not provided.
+        The default address is ``localhost``.
     port: int, optional
-        Access Control server port. The default port is `8000`.
+        Access Control server port. This parameter is used only if `base_url` is not
+        provided. The default port is `8000`.
     update_period: int, optional
         Average period in seconds between consecutive requests for updated access data.
         The actual period is randomized (uniform distribution in the range +/-20% of
@@ -552,6 +568,7 @@ def __init__(
         *,
         instrument=None,
         roles=None,
+        base_url=None,
         server="localhost",
         port=8000,
         update_period=600,
@@ -567,6 +584,7 @@ def __init__(
             config = {
                 "instrument": instrument,
                 "roles": roles,
+                "base_url": base_url,
                 "server": server,
                 "port": port,
                 "update_period": update_period,
@@ -580,9 +598,11 @@ def __init__(
             raise ConfigError(f"ValidationError while validating parameters BasicAPIAccessControl: {msg}") from err
 
         self._instrument = instrument.lower()
+        if base_url:
+            self._base_url = base_url
+        else:
+            self._base_url = f"http://{server}:{port}"
 
-        self._server = server
-        self._port = port
         self._update_period = update_period
         self._http_timeout = http_timeout
         self._expiration_period = expiration_period or (update_period * 1.5)
@@ -597,9 +617,8 @@ async def update_access_info(self):
         """
         Send a single request to the API server and update locally stored access control info.
         """
-        base_url = f"http://{self._server}:{self._port}"
         access_api = f"/instrument/{self._instrument.lower()}/qserver/access"
-        async with httpx.AsyncClient(base_url=base_url, timeout=self._http_timeout) as client:
+        async with httpx.AsyncClient(base_url=self._base_url, timeout=self._http_timeout) as client:
             response = await client.get(access_api)
             response.raise_for_status()
             groups = response.json()

From 500113cb5651233ed2f1792d80f97f1f452348a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matheus=20Lu=C3=ADs?= <matheus.bernardi@lnls.br>
Date: Wed, 14 May 2025 16:03:52 -0300
Subject: [PATCH 2/2] FIX: Simplify schema for ServerBasedAPIAccessControl to
 optionally accept base_url

the proposed discriminated union was not working and would require the creation of a subschema inside this schema, so for simplicity if base_url is included it takes priority over the server+port defaults
---
 .../authorization/api_access.py               | 20 ++++++-------------
 1 file changed, 6 insertions(+), 14 deletions(-)

diff --git a/bluesky_httpserver/authorization/api_access.py b/bluesky_httpserver/authorization/api_access.py
index 8ba3912..54263d9 100644
--- a/bluesky_httpserver/authorization/api_access.py
+++ b/bluesky_httpserver/authorization/api_access.py
@@ -469,26 +469,18 @@ def __init__(self, *, roles=None, users=None):
     type: string
   roles:  # Detailed validation is performed elsewhere
     description: The value is passed to BasicAPIAccessControl object
-  oneOf:
-    - properties:
-        base_url:
-          type: string
-      required:
-        - base_url
-    - properties:
-        server:
-          type: string
-        port:
-          type: integer
-      required:
-        - server
-        - port
+  server:
+    type: string
+  port:
+    type: integer
   update_period:
     type: integer
   expiration_period:
     type: [integer, "null"]
   http_timeout:
     type: integer
+  base_url:
+    type: [string, "null"]
 """