From 2644b85989403318136ff12436645ac4944e5962 Mon Sep 17 00:00:00 2001
From: Matthew Evans <git@ml-evs.science>
Date: Sat, 22 Feb 2025 11:48:42 +0000
Subject: [PATCH 1/8] WIP work generating secure QR code links

---
 webapp/src/components/QRCode.vue | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/webapp/src/components/QRCode.vue b/webapp/src/components/QRCode.vue
index cff1c60a5..db499105f 100644
--- a/webapp/src/components/QRCode.vue
+++ b/webapp/src/components/QRCode.vue
@@ -35,6 +35,7 @@
 
 <script>
 import QRCodeVue3 from "qrcode-vue3";
+import jwt from "jsonwebtoken";
 import { FEDERATION_QR_CODE_RESOLVER_URL, QR_CODE_RESOLVER_URL, API_URL } from "@/resources.js";
 
 export default {
@@ -58,6 +59,19 @@ export default {
     };
   },
   computed: {
+    accessToken() {
+      // Generate a JWT token with the refcode as the subject
+      // that provides unauthenticated access to the entry when
+      // scanned. The token must be secured using a secret key
+      // shared with the API, which has the responsibility of tracking
+      // such keys.
+      const payload = {
+        user_id: this.$store.getters.getCurrentUserID,
+        refcode: this.refcode,
+      };
+
+      return jwt.sign(payload, "secret", { algorithm: "HS256", noTimestamp: true });
+    },
     federatedQR() {
       return FEDERATION_QR_CODE_RESOLVER_URL == QR_CODE_RESOLVER_URL;
     },
@@ -65,9 +79,11 @@ export default {
       // If the QR_CODE_RESOLVER_URL is not set, use the API_URL
       // with the redirect-to-ui option
       if (QR_CODE_RESOLVER_URL == null) {
-        return API_URL + "/items/" + this.refcode + "?redirect-to-ui=true";
+        return (
+          API_URL + "/items/" + this.refcode + "?redirect-to-ui=true" + "&token=" + this.accessToken
+        );
       }
-      return QR_CODE_RESOLVER_URL + "/" + this.refcode;
+      return QR_CODE_RESOLVER_URL + "/" + this.refcode + "&token=" + this.accessToken;
     },
   },
 };

From 4c97676693010b2706b20b5675fa4a135fa92f94 Mon Sep 17 00:00:00 2001
From: Matthew Evans <git@ml-evs.science>
Date: Sun, 18 May 2025 14:13:27 +0100
Subject: [PATCH 2/8] More placeholder work embedding tokens in QRs

---
 webapp/src/components/QRCode.vue | 15 ++-------------
 1 file changed, 2 insertions(+), 13 deletions(-)

diff --git a/webapp/src/components/QRCode.vue b/webapp/src/components/QRCode.vue
index db499105f..b437c1885 100644
--- a/webapp/src/components/QRCode.vue
+++ b/webapp/src/components/QRCode.vue
@@ -4,7 +4,7 @@
       :value="QRCodeUrl"
       :width="width"
       :height="width"
-      :qr-options="{ typeNumber: 0, mode: 'Byte', errorCorrectionLevel: 'H' }"
+      :qr-options="{ typeNumber: 0, mode: 'Byte', errorCorrectionLevel: 'Q' }"
       :image-options="{ hideBackgroundDots: false, imageSize: 0, margin: 0 }"
       :dots-options="{
         type: 'square',
@@ -35,7 +35,6 @@
 
 <script>
 import QRCodeVue3 from "qrcode-vue3";
-import jwt from "jsonwebtoken";
 import { FEDERATION_QR_CODE_RESOLVER_URL, QR_CODE_RESOLVER_URL, API_URL } from "@/resources.js";
 
 export default {
@@ -60,17 +59,7 @@ export default {
   },
   computed: {
     accessToken() {
-      // Generate a JWT token with the refcode as the subject
-      // that provides unauthenticated access to the entry when
-      // scanned. The token must be secured using a secret key
-      // shared with the API, which has the responsibility of tracking
-      // such keys.
-      const payload = {
-        user_id: this.$store.getters.getCurrentUserID,
-        refcode: this.refcode,
-      };
-
-      return jwt.sign(payload, "secret", { algorithm: "HS256", noTimestamp: true });
+      return "v1-aaaaaaabbbbbbbbcccccccc";
     },
     federatedQR() {
       return FEDERATION_QR_CODE_RESOLVER_URL == QR_CODE_RESOLVER_URL;

From 697478ac3baf215508c2ec5a7fa1821dc4fe4eb1 Mon Sep 17 00:00:00 2001
From: Matthew Evans <git@ml-evs.science>
Date: Sat, 24 May 2025 09:56:34 +0100
Subject: [PATCH 3/8] Add initial draft endpoints and tests for issuing access
 tokens

---
 pydatalab/src/pydatalab/permissions.py       | 32 +++++++-
 pydatalab/src/pydatalab/routes/v0_1/items.py | 80 +++++++++++++++++++-
 pydatalab/tests/server/test_permissions.py   | 44 +++++++++++
 3 files changed, 151 insertions(+), 5 deletions(-)

diff --git a/pydatalab/src/pydatalab/permissions.py b/pydatalab/src/pydatalab/permissions.py
index 0bfd4f8e8..1fb1646bb 100644
--- a/pydatalab/src/pydatalab/permissions.py
+++ b/pydatalab/src/pydatalab/permissions.py
@@ -1,4 +1,5 @@
 from functools import wraps
+from hashlib import sha512
 from typing import Any
 
 from bson import ObjectId
@@ -60,7 +61,30 @@ def wrapped_route(*args, **kwargs):
     return wrapped_route
 
 
-def get_default_permissions(user_only: bool = True, deleting: bool = False) -> dict[str, Any]:
+def check_access_token(refcode: str, token: str | None = None) -> bool:
+    """Check whether the provided access token exists in the get_database
+    and corresponds to the relevant refcode.
+
+    Returns:
+        Whether or not the token can read the item.
+
+    """
+
+    if not token:
+        return False
+
+    access_document = get_database().api_keys.find_one(
+        sha512(token.encode("utf-8")).hexdigest(), projection={"refcode": 1}
+    )
+    if refcode == access_document["refcode"]:
+        return True
+
+    return False
+
+
+def get_default_permissions(
+    user_only: bool = True, deleting: bool = False, elevate_permissions: bool = False
+) -> dict[str, Any]:
     """Return the MongoDB query terms corresponding to the current user.
 
     Will return open permissions if a) the `CONFIG.TESTING` parameter is `True`,
@@ -70,6 +94,8 @@ def get_default_permissions(user_only: bool = True, deleting: bool = False) -> d
         user_only: Whether to exclude items that also have no attached user (`False`),
             i.e., public items. This should be set to `False` when reading (and wanting
             to return public items), but left as `True` when modifying or removing items.
+        elevate_permissions: Whether to elevate this query's permissions, i.e., in the case
+            that an item-specific access token has been provided elsewhere.
 
     """
 
@@ -84,6 +110,10 @@ def get_default_permissions(user_only: bool = True, deleting: bool = False) -> d
     ):
         return {}
 
+    if elevate_permissions:
+        LOGGER.warning("Permissions check with elevated permissions, likely due to access token usage")
+        return {}
+
     null_perm = {
         "$or": [
             {"creator_ids": {"$size": 0}},
diff --git a/pydatalab/src/pydatalab/routes/v0_1/items.py b/pydatalab/src/pydatalab/routes/v0_1/items.py
index a886f57e2..678b32e20 100644
--- a/pydatalab/src/pydatalab/routes/v0_1/items.py
+++ b/pydatalab/src/pydatalab/routes/v0_1/items.py
@@ -1,5 +1,7 @@
 import datetime
 import json
+import uuid
+from hashlib import sha512
 
 from bson import ObjectId
 from flask import Blueprint, jsonify, redirect, request
@@ -18,7 +20,12 @@
 from pydatalab.models.relationships import RelationshipType
 from pydatalab.models.utils import generate_unique_refcode
 from pydatalab.mongo import ITEMS_FTS_FIELDS, flask_mongo
-from pydatalab.permissions import PUBLIC_USER_ID, active_users_or_get_only, get_default_permissions
+from pydatalab.permissions import (
+    PUBLIC_USER_ID,
+    active_users_or_get_only,
+    check_access_token,
+    get_default_permissions,
+)
 
 ITEMS = Blueprint("items", __name__)
 
@@ -746,6 +753,56 @@ def update_item_permissions(refcode: str):
     return jsonify({"status": "success"}), 200
 
 
+@ITEMS.route("/items/<refcode>/issue-access-token", methods=["GET"])
+def issue_physical_token(refcode: str):
+    """Issue a token that will give semi-permanent access to an
+    item with this refcode. This should be used when generating
+    physicsl labels to attach to a container.
+
+    """
+
+    if len(refcode.split(":")) != 2:
+        refcode = f"{CONFIG.IDENTIFIER_PREFIX}:{refcode}"
+
+    current_item = flask_mongo.db.items.find_one(
+        {"refcode": refcode, **get_default_permissions(user_only=True)},
+        {"refcode": 1},
+    )  # type: ignore
+
+    if not current_item:
+        return (
+            jsonify(
+                {
+                    "status": "error",
+                    "message": f"No valid item found with the given {refcode=}.",
+                }
+            ),
+            401,
+        )
+
+        return (
+            jsonify(
+                {
+                    "status": "error",
+                    "message": "No valid creator IDs found in the request.",
+                }
+            ),
+            400,
+        )
+
+    # generate token and store it in `api_keys` collection
+    token = str(uuid.uuid1())
+    access_document = {"token": sha512(token.encode("utf-8")).hexdigest(), "refcode": refcode}
+
+    save_key = flask_mongo.db.api_keys.insert_one(**access_document)
+    if not save_key:
+        return jsonify(
+            {"status": "error", "message": "Unknown error generating token for item."}
+        ), 500
+
+    return jsonify({"status": "success", "token": token}), 200
+
+
 @ITEMS.route("/delete-sample/", methods=["POST"])
 def delete_sample():
     request_json = request.get_json()  # noqa: F821 pylint: disable=undefined-variable
@@ -782,8 +839,21 @@ def get_item_data(item_id: str | None = None, refcode: str | None = None):
     or `refcode` additionally resolving relationships to files and other items.
     """
     redirect_to_ui = bool(request.args.get("redirect-to-ui", default=False, type=json.loads))
+    access_token = request.args.get("at")
     if refcode and redirect_to_ui and CONFIG.APP_URL:
-        return redirect(f"{CONFIG.APP_URL}/items/{refcode}", code=307)
+        redirect_url = f"{CONFIG.APP_URL}/items/{refcode}"
+        if access_token:
+            redirect_url += f"?at={access_token}"
+        return redirect(redirect_url, code=307)
+
+    valid_access_token: bool = False
+    if refcode and access_token:
+        valid_access_token = check_access_token(refcode, access_token)
+        if not valid_access_token:
+            return (
+                jsonify({"status": "error", "message": "Invalid access token"}),
+                401,
+            )
 
     if item_id:
         match = {"item_id": item_id}
@@ -809,7 +879,9 @@ def get_item_data(item_id: str | None = None, refcode: str | None = None):
             {
                 "$match": {
                     **match,
-                    **get_default_permissions(user_only=False),
+                    **get_default_permissions(
+                        user_only=False, elevate_permissions=valid_access_token
+                    ),
                 }
             },
             {"$lookup": creators_lookup()},
@@ -1026,7 +1098,7 @@ def save_item():
     item.pop("creators")
 
     result = flask_mongo.db.items.update_one(
-        {"item_id": item_id},
+        {"item_id": item_id, **get_default_permissions(user_only=True)},
         {"$set": item},
     )
 
diff --git a/pydatalab/tests/server/test_permissions.py b/pydatalab/tests/server/test_permissions.py
index b149d958a..b42a25486 100644
--- a/pydatalab/tests/server/test_permissions.py
+++ b/pydatalab/tests/server/test_permissions.py
@@ -84,3 +84,47 @@ def test_basic_permissions_update(admin_client, admin_user_id, client, user_id):
     # but that the admin still remains the creator
     response = admin_client.get(f"/items/{refcode}")
     assert response.status_code == 200
+
+
+def test_access_token_permissions(client, unauthenticated_client, admin_client, database):
+    response = client.post("/new-sample/", json={"type": "samples", "item_id": "private-sample"})
+    assert response.status_code == 201
+    response = response.json()
+
+    refcode = response["sample_list_entry"]["refcode"]
+    assert refcode
+
+    response = client.get(f"/items/{refcode}/issue-access-token")
+    response = response.json()
+    assert response["status"] == "success"
+    token = response["token"]
+    assert token
+
+    response = unauthenticated_client.get(f"/items/{refcode}")
+    assert response.status_code == 404
+
+    response = unauthenticated_client.get(f"/items/{refcode}?at={token}")
+    assert response.status_code == 200
+
+    response = unauthenticated_client.get(f"/items/{refcode}?at={token}123")
+    assert response.status_code == 200
+
+    response = admin_client.get(f"/items/{refcode}")
+    assert response.status_code == 200
+
+    response = admin_client.get(f"/items/{refcode}?at={token}")
+    assert response.status_code == 200
+
+    database.api_keys.drop()
+
+    response = admin_client.get(f"/items/{refcode}?at={token}")
+    assert response.status_code == 401
+
+    response = client.get(f"/items/{refcode}?at={token}")
+    assert response.status_code == 401
+
+    response = client.get(f"/items/{refcode}")
+    assert response.status_code == 200
+
+    response = unauthenticated_client.get(f"/items/{refcode}?at={token}")
+    assert response.status_code == 401

From e4f6005d0b4c48211a95a4d952d032e5c585ec42 Mon Sep 17 00:00:00 2001
From: Matthew Evans <git@ml-evs.science>
Date: Sat, 24 May 2025 10:00:55 +0100
Subject: [PATCH 4/8] Store requesting user ID alongside access token

---
 pydatalab/src/pydatalab/routes/v0_1/items.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/pydatalab/src/pydatalab/routes/v0_1/items.py b/pydatalab/src/pydatalab/routes/v0_1/items.py
index 678b32e20..3ca71396e 100644
--- a/pydatalab/src/pydatalab/routes/v0_1/items.py
+++ b/pydatalab/src/pydatalab/routes/v0_1/items.py
@@ -792,8 +792,11 @@ def issue_physical_token(refcode: str):
 
     # generate token and store it in `api_keys` collection
     token = str(uuid.uuid1())
-    access_document = {"token": sha512(token.encode("utf-8")).hexdigest(), "refcode": refcode}
-
+    access_document = {
+        "token": sha512(token.encode("utf-8")).hexdigest(),
+        "refcode": refcode,
+        "user": ObjectId(current_user.id),
+    }
     save_key = flask_mongo.db.api_keys.insert_one(**access_document)
     if not save_key:
         return jsonify(

From 0e08d0e04ba5941fc89b1e27b165ec2046301691 Mon Sep 17 00:00:00 2001
From: Matthew Evans <git@ml-evs.science>
Date: Sat, 24 May 2025 10:15:09 +0100
Subject: [PATCH 5/8] Add admin endpoint for invalidating access tokens

---
 pydatalab/src/pydatalab/permissions.py       | 15 +++++++++++----
 pydatalab/src/pydatalab/routes/v0_1/admin.py | 18 ++++++++++++++++++
 pydatalab/src/pydatalab/routes/v0_1/items.py |  1 +
 3 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/pydatalab/src/pydatalab/permissions.py b/pydatalab/src/pydatalab/permissions.py
index 1fb1646bb..18a1d10c1 100644
--- a/pydatalab/src/pydatalab/permissions.py
+++ b/pydatalab/src/pydatalab/permissions.py
@@ -73,10 +73,15 @@ def check_access_token(refcode: str, token: str | None = None) -> bool:
     if not token:
         return False
 
-    access_document = get_database().api_keys.find_one(
-        sha512(token.encode("utf-8")).hexdigest(), projection={"refcode": 1}
+    db = get_database()
+
+    hashed_token = sha512(token.encode("utf-8")).hexdigest()
+
+    access_document = db.api_keys.find_one(
+        {"token": hashed_token}, projection={"refcode": 1, "valid": 1}
     )
-    if refcode == access_document["refcode"]:
+    if refcode == access_document["refcode"] and access_document["active"]:
+        LOGGER.info("Access to refcode %s granted with token", refcode, token)
         return True
 
     return False
@@ -111,7 +116,9 @@ def get_default_permissions(
         return {}
 
     if elevate_permissions:
-        LOGGER.warning("Permissions check with elevated permissions, likely due to access token usage")
+        LOGGER.warning(
+            "Permissions check with elevated permissions, likely due to access token usage"
+        )
         return {}
 
     null_perm = {
diff --git a/pydatalab/src/pydatalab/routes/v0_1/admin.py b/pydatalab/src/pydatalab/routes/v0_1/admin.py
index c95334073..a23d8dae7 100644
--- a/pydatalab/src/pydatalab/routes/v0_1/admin.py
+++ b/pydatalab/src/pydatalab/routes/v0_1/admin.py
@@ -1,3 +1,5 @@
+from hashlib import sha512
+
 from bson import ObjectId
 from flask import Blueprint, jsonify, request
 from flask_login import current_user
@@ -93,3 +95,19 @@ def save_role(user_id):
         )
 
     return (jsonify({"status": "success"}), 200)
+
+
+@ADMIN.route("/items/<refcode>/invalidate-access-token")
+def invalidate_access_token(refcode: str, METHODS=["POST"]):
+    request_json = request.get_json()  # noqa: F821 pylint: disable=undefined-variable
+    token = request_json.get("token")
+    if not token:
+        return jsonify({"status": "error", "detail": "No token provided."}), 400
+
+    response = flask_mongo.db.api_keys.update_one(
+        {"token": sha512(token.encode("utf-8")).hexdigest()}, {"$set": {"active": False}}
+    )
+    if response.modified_count == 1:
+        return jsonify({"status": "success"}), 200
+
+    return jsonify({"status": "error", "detail": "Unable to invalidate token"}), 400
diff --git a/pydatalab/src/pydatalab/routes/v0_1/items.py b/pydatalab/src/pydatalab/routes/v0_1/items.py
index 3ca71396e..5dd42254d 100644
--- a/pydatalab/src/pydatalab/routes/v0_1/items.py
+++ b/pydatalab/src/pydatalab/routes/v0_1/items.py
@@ -796,6 +796,7 @@ def issue_physical_token(refcode: str):
         "token": sha512(token.encode("utf-8")).hexdigest(),
         "refcode": refcode,
         "user": ObjectId(current_user.id),
+        "active": True,
     }
     save_key = flask_mongo.db.api_keys.insert_one(**access_document)
     if not save_key:

From 9ac73a69e2d2d3c9ac1b23b815699fcbc8fcccb1 Mon Sep 17 00:00:00 2001
From: Benjamin CHARMES <benjamin.charmes@gmail.com>
Date: Wed, 3 Sep 2025 16:30:53 +0200
Subject: [PATCH 6/8] Ability to generate public QR codes in the UI and admin
 panel to manage access tokens

---
 pydatalab/src/pydatalab/permissions.py       |  39 ++-
 pydatalab/src/pydatalab/routes/v0_1/admin.py |  87 ++++++-
 pydatalab/src/pydatalab/routes/v0_1/items.py | 166 ++++++++++---
 webapp/src/components/AdminDisplay.vue       |  13 +-
 webapp/src/components/QRCode.vue             | 238 ++++++++++++++++++-
 webapp/src/components/TokenTable.vue         | 195 +++++++++++++++
 webapp/src/server_fetch_utils.js             |  19 +-
 webapp/src/views/Admin.vue                   |   2 +-
 webapp/src/views/EditPage.vue                |  13 +-
 9 files changed, 688 insertions(+), 84 deletions(-)
 create mode 100644 webapp/src/components/TokenTable.vue

diff --git a/pydatalab/src/pydatalab/permissions.py b/pydatalab/src/pydatalab/permissions.py
index 18a1d10c1..7a0dee1a9 100644
--- a/pydatalab/src/pydatalab/permissions.py
+++ b/pydatalab/src/pydatalab/permissions.py
@@ -10,7 +10,7 @@
 from pydatalab.logger import LOGGER
 from pydatalab.login import UserRole
 from pydatalab.models.people import AccountStatus
-from pydatalab.mongo import get_database
+from pydatalab.mongo import flask_mongo, get_database
 
 PUBLIC_USER_ID = ObjectId(24 * "0")
 
@@ -18,11 +18,24 @@
 def active_users_or_get_only(func):
     """Decorator to ensure that only active user accounts can access the route,
     unless it is a GET-route, in which case deactivated accounts can also access it.
-
+    Now also allows access with valid access tokens.
     """
 
     @wraps(func)
     def wrapped_route(*args, **kwargs):
+        access_token = request.args.get("at")
+        refcode = kwargs.get("refcode")
+
+        if not refcode and access_token:
+            path_parts = request.path.strip("/").split("/")
+            if len(path_parts) >= 2 and path_parts[0] == "items":
+                refcode = path_parts[1]
+
+        if access_token and refcode:
+            token_valid = check_access_token(refcode, access_token)
+            if token_valid:
+                return func(*args, **kwargs)
+
         if (
             (
                 current_user.is_authenticated
@@ -70,21 +83,23 @@ def check_access_token(refcode: str, token: str | None = None) -> bool:
 
     """
 
-    if not token:
+    if not token or not refcode:
         return False
 
-    db = get_database()
+    try:
+        if len(refcode.split(":")) != 2:
+            refcode = f"{CONFIG.IDENTIFIER_PREFIX}:{refcode}"
 
-    hashed_token = sha512(token.encode("utf-8")).hexdigest()
+        token_hash = sha512(token.encode("utf-8")).hexdigest()
 
-    access_document = db.api_keys.find_one(
-        {"token": hashed_token}, projection={"refcode": 1, "valid": 1}
-    )
-    if refcode == access_document["refcode"] and access_document["active"]:
-        LOGGER.info("Access to refcode %s granted with token", refcode, token)
-        return True
+        access_token_doc = flask_mongo.db.api_keys.find_one(
+            {"token": token_hash, "refcode": refcode, "active": True, "type": "access_token"}
+        )
+
+        return bool(access_token_doc)
 
-    return False
+    except Exception:
+        return False
 
 
 def get_default_permissions(
diff --git a/pydatalab/src/pydatalab/routes/v0_1/admin.py b/pydatalab/src/pydatalab/routes/v0_1/admin.py
index a23d8dae7..a303e7221 100644
--- a/pydatalab/src/pydatalab/routes/v0_1/admin.py
+++ b/pydatalab/src/pydatalab/routes/v0_1/admin.py
@@ -1,4 +1,4 @@
-from hashlib import sha512
+import datetime
 
 from bson import ObjectId
 from flask import Blueprint, jsonify, request
@@ -97,17 +97,86 @@ def save_role(user_id):
     return (jsonify({"status": "success"}), 200)
 
 
-@ADMIN.route("/items/<refcode>/invalidate-access-token")
-def invalidate_access_token(refcode: str, METHODS=["POST"]):
-    request_json = request.get_json()  # noqa: F821 pylint: disable=undefined-variable
-    token = request_json.get("token")
-    if not token:
-        return jsonify({"status": "error", "detail": "No token provided."}), 400
+@ADMIN.route("/items/<refcode>/invalidate-access-token", methods=["POST"])
+def invalidate_access_token(refcode: str):
+    request_json = request.get_json(silent=True) or {}
+
+    if len(refcode.split(":")) != 2:
+        refcode = f"{CONFIG.IDENTIFIER_PREFIX}:{refcode}"
+
+    if request_json.get("token") == "admin-invalidation":
+        query = {"refcode": refcode, "active": True, "type": "access_token"}
+    else:
+        query = {"refcode": refcode, "active": True, "type": "access_token"}
 
     response = flask_mongo.db.api_keys.update_one(
-        {"token": sha512(token.encode("utf-8")).hexdigest()}, {"$set": {"active": False}}
+        query,
+        {
+            "$set": {
+                "active": False,
+                "invalidated_at": datetime.datetime.now(tz=datetime.timezone.utc),
+                "invalidated_by": ObjectId(current_user.id),
+            }
+        },
     )
+
     if response.modified_count == 1:
         return jsonify({"status": "success"}), 200
+    else:
+        return jsonify({"status": "error", "detail": "Token not found or already invalidated"}), 404
+
+
+@ADMIN.route("/access-tokens", methods=["GET"])
+def list_access_tokens():
+    """List all access tokens with their status and metadata."""
+
+    pipeline = [
+        {"$match": {"type": "access_token"}},
+        {
+            "$lookup": {
+                "from": "items",
+                "localField": "refcode",
+                "foreignField": "refcode",
+                "as": "item_info",
+            }
+        },
+        {
+            "$lookup": {
+                "from": "users",
+                "localField": "user",
+                "foreignField": "_id",
+                "as": "user_info",
+            }
+        },
+        {
+            "$project": {
+                "_id": 1,
+                "refcode": 1,
+                "active": 1,
+                "created_at": 1,
+                "invalidated_at": 1,
+                "token": {"$substr": ["$token", 0, 16]},
+                "item_name": {
+                    "$cond": {
+                        "if": {"$gt": [{"$size": "$item_info"}, 0]},
+                        "then": {"$arrayElemAt": ["$item_info.name", 0]},
+                        "else": None,
+                    }
+                },
+                "item_id": {"$arrayElemAt": ["$item_info.item_id", 0]},
+                "item_type": {
+                    "$cond": {
+                        "if": {"$gt": [{"$size": "$item_info"}, 0]},
+                        "then": {"$arrayElemAt": ["$item_info.type", 0]},
+                        "else": "deleted",
+                    }
+                },
+                "created_by": {"$arrayElemAt": ["$user_info.display_name", 0]},
+            }
+        },
+        {"$sort": {"created_at": -1}},
+    ]
+
+    tokens = list(flask_mongo.db.api_keys.aggregate(pipeline))
 
-    return jsonify({"status": "error", "detail": "Unable to invalidate token"}), 400
+    return jsonify({"status": "success", "tokens": tokens}), 200
diff --git a/pydatalab/src/pydatalab/routes/v0_1/items.py b/pydatalab/src/pydatalab/routes/v0_1/items.py
index 5dd42254d..efdb80806 100644
--- a/pydatalab/src/pydatalab/routes/v0_1/items.py
+++ b/pydatalab/src/pydatalab/routes/v0_1/items.py
@@ -753,11 +753,12 @@ def update_item_permissions(refcode: str):
     return jsonify({"status": "success"}), 200
 
 
-@ITEMS.route("/items/<refcode>/issue-access-token", methods=["GET"])
+@ITEMS.route("/items/<refcode>/issue-access-token", methods=["POST"])
+@active_users_or_get_only
 def issue_physical_token(refcode: str):
     """Issue a token that will give semi-permanent access to an
     item with this refcode. This should be used when generating
-    physicsl labels to attach to a container.
+    physical labels to attach to a container.
 
     """
 
@@ -767,44 +768,52 @@ def issue_physical_token(refcode: str):
     current_item = flask_mongo.db.items.find_one(
         {"refcode": refcode, **get_default_permissions(user_only=True)},
         {"refcode": 1},
-    )  # type: ignore
+    )
 
     if not current_item:
-        return (
-            jsonify(
-                {
-                    "status": "error",
-                    "message": f"No valid item found with the given {refcode=}.",
-                }
-            ),
-            401,
-        )
+        return jsonify(
+            {
+                "status": "error",
+                "message": f"No valid item found with the given {refcode=}.",
+            }
+        ), 404
 
-        return (
-            jsonify(
-                {
-                    "status": "error",
-                    "message": "No valid creator IDs found in the request.",
-                }
-            ),
-            400,
-        )
+    existing_token = flask_mongo.db.api_keys.find_one(
+        {"refcode": refcode, "active": True, "type": "access_token"}
+    )
+
+    if existing_token:
+        return jsonify(
+            {
+                "status": "error",
+                "message": "An active access token already exists for this item. Please invalidate it first.",
+            }
+        ), 409
 
-    # generate token and store it in `api_keys` collection
+    # Generate token and store it in `api_keys` collection
     token = str(uuid.uuid1())
     access_document = {
         "token": sha512(token.encode("utf-8")).hexdigest(),
         "refcode": refcode,
         "user": ObjectId(current_user.id),
         "active": True,
+        "created_at": datetime.datetime.now(tz=datetime.timezone.utc),
+        "type": "access_token",
     }
-    save_key = flask_mongo.db.api_keys.insert_one(**access_document)
-    if not save_key:
+
+    try:
+        result = flask_mongo.db.api_keys.insert_one(access_document)
+        if not result.inserted_id:
+            return jsonify(
+                {"status": "error", "message": "Unknown error generating token for item."}
+            ), 500
+    except Exception as e:
+        LOGGER.error(f"Error inserting access token: {e}")
         return jsonify(
-            {"status": "error", "message": "Unknown error generating token for item."}
+            {"status": "error", "message": "Database error generating token for item."}
         ), 500
 
-    return jsonify({"status": "success", "token": token}), 200
+    return jsonify({"status": "success", "token": token}), 201
 
 
 @ITEMS.route("/delete-sample/", methods=["POST"])
@@ -812,11 +821,12 @@ def delete_sample():
     request_json = request.get_json()  # noqa: F821 pylint: disable=undefined-variable
     item_id = request_json["item_id"]
 
-    result = flask_mongo.db.items.delete_one(
-        {"item_id": item_id, **get_default_permissions(user_only=True, deleting=True)}
+    item = flask_mongo.db.items.find_one(
+        {"item_id": item_id, **get_default_permissions(user_only=True, deleting=True)},
+        {"refcode": 1},
     )
 
-    if result.deleted_count != 1:
+    if not item:
         return (
             jsonify(
                 {
@@ -826,15 +836,26 @@ def delete_sample():
             ),
             401,
         )
-    return (
-        jsonify(
-            {
-                "status": "success",
-            }
-        ),
-        200,
+
+    result = flask_mongo.db.items.delete_one(
+        {"item_id": item_id, **get_default_permissions(user_only=True, deleting=True)}
     )
 
+    if result.deleted_count != 1:
+        return (
+            jsonify(
+                {
+                    "status": "error",
+                    "message": f"Failed to delete item with {item_id=}.",
+                }
+            ),
+            400,
+        )
+
+    flask_mongo.db.api_keys.delete_many({"refcode": item["refcode"], "type": "access_token"})
+
+    return jsonify({"status": "success"}), 200
+
 
 @ITEMS.route("/items/<refcode>", methods=["GET"])
 @ITEMS.route("/get-item-data/<item_id>", methods=["GET"])
@@ -842,6 +863,7 @@ def get_item_data(item_id: str | None = None, refcode: str | None = None):
     """Generates a JSON response for the item with the given `item_id`,
     or `refcode` additionally resolving relationships to files and other items.
     """
+
     redirect_to_ui = bool(request.args.get("redirect-to-ui", default=False, type=json.loads))
     access_token = request.args.get("at")
     if refcode and redirect_to_ui and CONFIG.APP_URL:
@@ -899,7 +921,21 @@ def get_item_data(item_id: str | None = None, refcode: str | None = None):
     except IndexError:
         doc = None
 
-    if not doc or (
+    if not doc:
+        return (
+            jsonify(
+                {
+                    "status": "error",
+                    "message": f"No matching items for {match=} with current authorization.",
+                }
+            ),
+            404,
+        )
+
+    if valid_access_token:
+        pass
+
+    elif (
         not current_user.is_authenticated
         and not CONFIG.TESTING
         and doc["type"] != "starting_materials"
@@ -908,10 +944,10 @@ def get_item_data(item_id: str | None = None, refcode: str | None = None):
             jsonify(
                 {
                     "status": "error",
-                    "message": f"No matching items for {match=} with current authorization.",
+                    "message": "Authentication required or invalid access token.",
                 }
             ),
-            404,
+            401,
         )
 
     # determine the item type and validate according to the appropriate schema
@@ -1157,3 +1193,55 @@ def search_users():
     return jsonify(
         {"status": "success", "users": list(json.loads(Person(**d).json()) for d in cursor)}
     ), 200
+
+
+@ITEMS.route("/items/<refcode>/access-token-info", methods=["GET"])
+def get_access_token_info(refcode: str):
+    """Get information about existing access token for this item (if any).
+
+    Returns token info (with masked token) if user has permissions to this item.
+    """
+    access_token = request.args.get("at")
+    if access_token and check_access_token(refcode, access_token):
+        pass
+    elif not (current_user.is_authenticated):
+        return jsonify({"status": "error", "message": "Authentication required."}), 401
+
+    if len(refcode.split(":")) != 2:
+        refcode = f"{CONFIG.IDENTIFIER_PREFIX}:{refcode}"
+
+    current_item = flask_mongo.db.items.find_one(
+        {"refcode": refcode, **get_default_permissions(user_only=True)},
+        {"refcode": 1},
+    )
+
+    if not current_item:
+        return jsonify(
+            {
+                "status": "error",
+                "message": f"No valid item found with the given {refcode=}.",
+            }
+        ), 404
+
+    existing_token = flask_mongo.db.api_keys.find_one(
+        {"refcode": refcode, "active": True, "type": "access_token"},
+        {"token": 1, "created_at": 1, "user": 1},
+    )
+
+    if existing_token:
+        token_hash = existing_token["token"]
+        masked_token = token_hash[:8] + "..." + token_hash[-8:]
+
+        return jsonify(
+            {
+                "status": "success",
+                "has_token": True,
+                "token_info": {
+                    "masked_token": masked_token,
+                    "created_at": existing_token["created_at"],
+                    "created_by": str(existing_token["user"]),
+                },
+            }
+        ), 200
+    else:
+        return jsonify({"status": "success", "has_token": False}), 200
diff --git a/webapp/src/components/AdminDisplay.vue b/webapp/src/components/AdminDisplay.vue
index c9905f2c6..e7e4a20b1 100644
--- a/webapp/src/components/AdminDisplay.vue
+++ b/webapp/src/components/AdminDisplay.vue
@@ -1,15 +1,24 @@
 <template>
   <div class="admin-display">
-    <template v-if="selectedItem === 'Users'"> <UserTable /> </template>
+    <template v-if="selectedItem === 'Users'">
+      <UserTable />
+    </template>
+    <template v-if="selectedItem === 'Access Tokens'">
+      <TokenTable />
+    </template>
   </div>
 </template>
 
 <script>
 import UserTable from "./UserTable.vue";
+import TokenTable from "./TokenTable.vue";
 
 export default {
   name: "AdminDisplay",
-  components: { UserTable },
+  components: {
+    UserTable,
+    TokenTable,
+  },
   props: {
     selectedItem: {
       type: String,
diff --git a/webapp/src/components/QRCode.vue b/webapp/src/components/QRCode.vue
index b437c1885..04e03e64c 100644
--- a/webapp/src/components/QRCode.vue
+++ b/webapp/src/components/QRCode.vue
@@ -1,7 +1,8 @@
 <template>
   <div class="text-center">
     <QRCodeVue3
-      :value="QRCodeUrl"
+      :key="currentQRCodeUrl"
+      :value="currentQRCodeUrl"
       :width="width"
       :height="width"
       :qr-options="{ typeNumber: 0, mode: 'Byte', errorCorrectionLevel: 'Q' }"
@@ -15,6 +16,7 @@
       :corners-dot-options="{ type: 'square', color: 'black' }"
       file-ext="png"
     />
+
     <div
       id="qrcode-text-label"
       :style="{ width: width }"
@@ -22,8 +24,69 @@
     >
       {{ refcode }}
     </div>
+
+    <div class="mt-2">
+      <span v-if="!isPublicMode" class="badge bg-primary">Private QR Code</span>
+      <span v-else class="badge bg-warning text-dark">Public QR Code</span>
+    </div>
+  </div>
+
+  <div v-if="isLoading" class="text-center mt-3">
+    <div class="spinner-border spinner-border-sm" role="status">
+      <span class="visually-hidden">Loading...</span>
+    </div>
+    <small class="d-block mt-1">Checking existing tokens...</small>
+  </div>
+
+  <div v-else-if="!isPublicMode" class="mt-3">
+    <div class="alert alert-info">
+      <strong>Generate Public QR Code:</strong><br />
+      This QR code requires authentication to access. You can generate a public QR code that allows
+      access without login.
+    </div>
+
+    <button
+      class="btn btn-warning w-100"
+      :disabled="isGenerating"
+      @click.prevent="hasExistingToken ? switchToPublic() : generatePublicQRCode()"
+    >
+      <span v-if="isGenerating">
+        <span class="spinner-border spinner-border-sm me-2" role="status"></span>
+        Generating...
+      </span>
+      <span v-else-if="hasExistingToken"> <i class="fas fa-eye me-2"></i>View Public QR Code </span>
+      <span v-else> <i class="fas fa-unlock me-2"></i>Generate Public QR Code </span>
+    </button>
   </div>
-  <div v-if="!federatedQR" class="alert alert-info">
+
+  <div v-else class="mt-3">
+    <div class="alert alert-warning">
+      <strong><i class="fas fa-exclamation-triangle me-2"></i>Public QR Code Active</strong><br />
+      This QR code can be accessed by anyone with the link. No authentication required.
+      <div class="mt-2">
+        <small><strong>Created:</strong> {{ formattedCreationDate }}</small>
+      </div>
+    </div>
+
+    <div class="d-flex justify-content-center">
+      <button class="btn btn-sm btn-outline-primary mr-2" @click="switchToPrivate">
+        <i class="fas fa-eye me-1"></i>View Private QRCode
+      </button>
+      <button
+        class="btn btn-sm btn-outline-danger"
+        :disabled="isInvalidating"
+        @click="invalidateToken"
+      >
+        <i class="fas fa-trash me-1"></i>Delete Token
+      </button>
+    </div>
+  </div>
+
+  <div v-if="errorMessage" class="alert alert-danger mt-3">
+    <i class="fas fa-exclamation-triangle me-2"></i>{{ errorMessage }}
+  </div>
+
+  <div v-if="!federatedQR" class="alert alert-info mt-3">
     QR_CODE_RESOLVER_URL is not set to the federation resolver URL for this deployment.<br />
     Links embedded within QR codes generated here will only work if this <i>datalab</i> instance
     remains at the same URL.<br /><br />
@@ -52,27 +115,178 @@ export default {
       default: 200,
     },
   },
+  emits: ["public-token-generated", "public-token-invalidated"],
   data() {
     return {
       federationQRCodeUrl: FEDERATION_QR_CODE_RESOLVER_URL,
+      isPublicMode: false,
+      publicToken: null,
+      tokenInfo: null,
+      isLoading: false,
+      isGenerating: false,
+      isInvalidating: false,
+      errorMessage: null,
     };
   },
   computed: {
-    accessToken() {
-      return "v1-aaaaaaabbbbbbbbcccccccc";
-    },
     federatedQR() {
       return FEDERATION_QR_CODE_RESOLVER_URL == QR_CODE_RESOLVER_URL;
     },
-    QRCodeUrl() {
-      // If the QR_CODE_RESOLVER_URL is not set, use the API_URL
-      // with the redirect-to-ui option
+    privateQRCodeUrl() {
       if (QR_CODE_RESOLVER_URL == null) {
-        return (
-          API_URL + "/items/" + this.refcode + "?redirect-to-ui=true" + "&token=" + this.accessToken
-        );
+        return API_URL + "/items/" + this.refcode + "?redirect-to-ui=true";
+      }
+      return QR_CODE_RESOLVER_URL + "/" + this.refcode;
+    },
+    publicQRCodeUrl() {
+      if (!this.publicToken) return this.privateQRCodeUrl;
+
+      if (QR_CODE_RESOLVER_URL == null) {
+        return `${API_URL}/items/${this.refcode}?redirect-to-ui=true&at=${this.publicToken}`;
+      }
+      return `${QR_CODE_RESOLVER_URL}/${this.refcode}?at=${this.publicToken}`;
+    },
+    currentQRCodeUrl() {
+      const url = this.isPublicMode ? this.publicQRCodeUrl : this.privateQRCodeUrl;
+      return url;
+    },
+    formattedCreationDate() {
+      if (!this.tokenInfo?.created_at) return "Unknown";
+
+      try {
+        const date = new Date(this.tokenInfo.created_at);
+        return date.toLocaleDateString() + " at " + date.toLocaleTimeString();
+      } catch {
+        return "Unknown";
+      }
+    },
+    hasExistingToken() {
+      return this.publicToken === "existing-token";
+    },
+  },
+  mounted() {
+    this.checkExistingToken();
+  },
+  beforeUnmount() {
+    this.errorMessage = null;
+  },
+  methods: {
+    async checkExistingToken() {
+      this.isLoading = true;
+      this.errorMessage = null;
+
+      const urlParams = new URLSearchParams(window.location.search);
+      const accessToken = urlParams.get("at");
+      if (accessToken) {
+        return;
       }
-      return QR_CODE_RESOLVER_URL + "/" + this.refcode + "&token=" + this.accessToken;
+
+      try {
+        const response = await fetch(`${API_URL}/items/${this.refcode}/access-token-info`, {
+          method: "GET",
+          credentials: "include",
+        });
+
+        const data = await response.json();
+
+        if (response.ok && data.status === "success") {
+          if (data.has_token) {
+            this.tokenInfo = data.token_info;
+            this.isPublicMode = true;
+            this.publicToken = data.token_info.token;
+          }
+        } else if (response.status === 404) {
+          console.debug("No access to item or item not found");
+        } else {
+          console.warn("Error checking token:", data.message);
+        }
+      } catch (error) {
+        console.error("Error checking existing token:", error);
+      } finally {
+        this.isLoading = false;
+      }
+    },
+
+    async generatePublicQRCode() {
+      this.isGenerating = true;
+
+      try {
+        const response = await fetch(`${API_URL}/items/${this.refcode}/issue-access-token`, {
+          method: "POST",
+          credentials: "include",
+          headers: {
+            "Content-Type": "application/json",
+          },
+        });
+
+        const data = await response.json();
+
+        if (response.ok && data.status === "success") {
+          this.publicToken = data.token;
+          this.isPublicMode = true;
+          this.tokenInfo = {
+            created_at: new Date().toISOString(),
+            created_by: this.$store.state.currentUserID,
+          };
+          this.$emit("public-token-generated", {
+            refcode: this.refcode,
+            token: data.token,
+          });
+        } else if (response.status === 409) {
+          this.errorMessage =
+            "A public QR code already exists for this item. Please refresh the page to see it.";
+          this.checkExistingToken();
+        } else {
+          throw new Error(data.message || "Failed to generate access token");
+        }
+      } catch (error) {
+        console.error("Error generating public QR code:", error);
+        this.errorMessage = `Failed to generate public QR code: ${error.message}`;
+      } finally {
+        this.isGenerating = false;
+      }
+    },
+
+    async invalidateToken() {
+      this.isInvalidating = true;
+      this.errorMessage = null;
+
+      try {
+        const response = await fetch(`${API_URL}/items/${this.refcode}/invalidate-access-token`, {
+          method: "POST",
+          credentials: "include",
+          headers: {
+            "Content-Type": "application/json",
+          },
+          body: JSON.stringify({}),
+        });
+
+        const data = await response.json();
+
+        if (response.ok && data.status === "success") {
+          this.publicToken = null;
+          this.tokenInfo = null;
+          this.isPublicMode = false;
+          this.showInvalidateConfirm = false;
+          this.$emit("public-token-invalidated", { refcode: this.refcode });
+        } else {
+          throw new Error(data.detail || data.message || "Failed to invalidate token");
+        }
+      } catch (error) {
+        console.error("Error invalidating token:", error);
+        this.errorMessage = `Failed to invalidate token: ${error.message}`;
+      } finally {
+        this.isInvalidating = false;
+      }
+    },
+
+    switchToPrivate() {
+      this.isPublicMode = false;
+      this.errorMessage = null;
+    },
+    switchToPublic() {
+      this.isPublicMode = true;
+      this.errorMessage = null;
     },
   },
 };
diff --git a/webapp/src/components/TokenTable.vue b/webapp/src/components/TokenTable.vue
new file mode 100644
index 000000000..74d69b817
--- /dev/null
+++ b/webapp/src/components/TokenTable.vue
@@ -0,0 +1,195 @@
+<template>
+  <table class="table table-hover table-sm" data-testid="tokens-table">
+    <thead>
+      <tr>
+        <th scope="col">Item</th>
+        <th scope="col">Token Status</th>
+        <th scope="col">Refcode</th>
+        <th scope="col">Item Type</th>
+        <th scope="col">Created By</th>
+        <th scope="col">Date Created</th>
+        <th scope="col">Actions</th>
+      </tr>
+    </thead>
+    <tbody>
+      <tr v-if="isLoading">
+        <td colspan="6" class="text-center">
+          <div class="spinner-border spinner-border-sm" role="status">
+            <span class="visually-hidden">Loading...</span>
+          </div>
+          Loading tokens...
+        </td>
+      </tr>
+      <tr v-else-if="tokens.length === 0">
+        <td colspan="6" class="text-center text-muted">No access tokens found</td>
+      </tr>
+      <tr v-for="token in sortedTokens" v-else :key="token._id">
+        <td align="left">
+          <FormattedItemName
+            v-if="token.item_id"
+            :item_id="token.item_id"
+            :item-type="token.item_type"
+            enable-click
+          />
+        </td>
+        <td align="left">
+          <span v-if="token.active" class="badge badge-success text-uppercase"> Active </span>
+          <span v-else class="badge badge-danger text-uppercase"> Invalidated </span>
+        </td>
+        <td align="left">
+          <FormattedRefcode
+            :refcode="token.refcode"
+            :enable-q-r-code="token.item_type !== 'deleted'"
+          />
+        </td>
+        <td align="left">{{ token.item_type || "Unknown" }}</td>
+        <td align="left">{{ token.created_by || "Unknown" }}</td>
+        <td align="left">{{ formatDate(token.created_at) }}</td>
+        <td align="left">
+          <button
+            v-if="token.active"
+            class="btn btn-outline-danger btn-sm text-uppercase text-monospace"
+            :disabled="invalidatingTokens.has(token._id)"
+            @click="confirmInvalidateToken(token)"
+          >
+            <span v-if="invalidatingTokens.has(token._id)"> Invalidating... </span>
+            <span v-else> Invalidate </span>
+          </button>
+          <button
+            v-else
+            class="btn btn-outline-secondary btn-sm text-uppercase text-monospace"
+            disabled
+          >
+            Invalidated
+          </button>
+        </td>
+      </tr>
+    </tbody>
+  </table>
+</template>
+
+<script>
+import { API_URL } from "@/resources.js";
+
+import FormattedItemName from "@/components/FormattedItemName.vue";
+import FormattedRefcode from "@/components/FormattedRefcode.vue";
+
+export default {
+  name: "TokenTable",
+  components: {
+    FormattedRefcode,
+    FormattedItemName,
+  },
+  data() {
+    return {
+      tokens: [],
+      isLoading: false,
+      invalidatingTokens: new Set(),
+    };
+  },
+  computed: {
+    sortedTokens() {
+      return [...this.tokens].sort((a, b) => {
+        if (a.active !== b.active) {
+          return a.active ? -1 : 1;
+        }
+        return new Date(b.created_at) - new Date(a.created_at);
+      });
+    },
+  },
+
+  created() {
+    this.loadTokens();
+  },
+
+  methods: {
+    async loadTokens() {
+      this.isLoading = true;
+
+      try {
+        const response = await fetch(`${API_URL}/access-tokens`, {
+          method: "GET",
+          credentials: "include",
+        });
+
+        const data = await response.json();
+
+        if (response.ok && data.status === "success") {
+          this.tokens = data.tokens;
+        } else {
+          console.error("Failed to load tokens:", data.message);
+        }
+      } catch (error) {
+        console.error("Error loading tokens:", error);
+      } finally {
+        this.isLoading = false;
+      }
+    },
+
+    async confirmInvalidateToken(token) {
+      if (
+        window.confirm(
+          `Are you sure you want to invalidate the access token for ${token.item_id} (${token.refcode})?`,
+        )
+      ) {
+        await this.invalidateToken(token);
+      }
+    },
+
+    async invalidateToken(token) {
+      this.invalidatingTokens.add(token._id);
+
+      try {
+        const response = await fetch(`${API_URL}/items/${token.refcode}/invalidate-access-token`, {
+          method: "POST",
+          credentials: "include",
+          headers: {
+            "Content-Type": "application/json",
+          },
+          body: JSON.stringify({
+            token: "admin-invalidation",
+          }),
+        });
+
+        const data = await response.json();
+
+        if (response.ok && data.status === "success") {
+          // Mettre à jour le token dans la liste
+          const index = this.tokens.findIndex((t) => t._id === token._id);
+          if (index !== -1) {
+            this.tokens[index].active = false;
+            this.tokens[index].invalidated_at = new Date().toISOString();
+          }
+        } else {
+          alert(`Failed to invalidate token: ${data.detail || data.message}`);
+        }
+      } catch (error) {
+        console.error("Error invalidating token:", error);
+        alert(`Error invalidating token: ${error.message}`);
+      } finally {
+        this.invalidatingTokens.delete(token._id);
+      }
+    },
+
+    formatDate(dateString) {
+      if (!dateString) return "Unknown";
+      try {
+        return new Date(dateString).toLocaleDateString();
+      } catch {
+        return "Invalid date";
+      }
+    },
+  },
+};
+</script>
+
+<style scoped>
+td {
+  vertical-align: middle;
+}
+
+.table-item-id {
+  font-size: 1.2em;
+  font-weight: normal;
+}
+</style>
diff --git a/webapp/src/server_fetch_utils.js b/webapp/src/server_fetch_utils.js
index a41a35531..8f98d2faa 100644
--- a/webapp/src/server_fetch_utils.js
+++ b/webapp/src/server_fetch_utils.js
@@ -445,8 +445,13 @@ export function removeItemsFromCollection(collection_id, refcodes) {
     });
 }
 
-export async function getItemData(item_id) {
-  return fetch_get(`${API_URL}/get-item-data/${item_id}`)
+export async function getItemData(item_id, accessToken = null) {
+  let url = `${API_URL}/get-item-data/${item_id}`;
+  if (accessToken) {
+    url += `?at=${accessToken}`;
+  }
+
+  return fetch_get(url)
     .then((response_json) => {
       store.commit("createItemData", {
         item_id: item_id,
@@ -454,7 +459,6 @@ export async function getItemData(item_id) {
         child_items: response_json.child_items,
         parent_items: response_json.parent_items,
       });
-
       return "success";
     })
     .catch((error) => {
@@ -465,8 +469,13 @@ export async function getItemData(item_id) {
     });
 }
 
-export async function getItemByRefcode(refcode) {
-  return fetch_get(`${API_URL}/items/${refcode}`)
+export async function getItemByRefcode(refcode, accessToken = null) {
+  let url = `${API_URL}/items/${refcode}`;
+  if (accessToken) {
+    url += `?at=${accessToken}`;
+  }
+
+  return fetch_get(url)
     .then((response_json) => {
       store.commit("createItemData", {
         refcode: refcode,
diff --git a/webapp/src/views/Admin.vue b/webapp/src/views/Admin.vue
index 1625e44cf..641906c6a 100644
--- a/webapp/src/views/Admin.vue
+++ b/webapp/src/views/Admin.vue
@@ -23,7 +23,7 @@ export default {
   },
   data() {
     return {
-      items: ["Users"],
+      items: ["Users", "Access Tokens"],
       selectedItem: "Users",
       user: null,
     };
diff --git a/webapp/src/views/EditPage.vue b/webapp/src/views/EditPage.vue
index d674fb2b5..b62754c47 100644
--- a/webapp/src/views/EditPage.vue
+++ b/webapp/src/views/EditPage.vue
@@ -91,7 +91,7 @@
       </div>
     </div>
 
-    <FileSelectModal :item_id="item_id" />
+    <FileSelectModal v-if="isAuthenticated" :item_id="item_id" />
   </div>
 </template>
 
@@ -212,6 +212,9 @@ export default {
     itemApiUrl() {
       return API_URL + "/items/" + this.refcode;
     },
+    isAuthenticated() {
+      return this.$store.state.currentUserID != null;
+    },
   },
   watch: {
     // add a warning before leaving page if unsaved
@@ -300,8 +303,11 @@ export default {
       this.lastModified = "just now";
     },
     async getSampleData() {
+      const urlParams = new URLSearchParams(window.location.search);
+      const accessToken = urlParams.get("at");
+
       if (this.item_id == null) {
-        getItemByRefcode(this.refcode).then(() => {
+        getItemByRefcode(this.refcode, accessToken).then(() => {
           this.itemDataLoaded = true;
           this.$nextTick(() => {
             this.$store.commit("setItemSaved", { item_id: this.item_id, isSaved: true });
@@ -310,7 +316,7 @@ export default {
           this.updateBlocks();
         });
       } else {
-        getItemData(this.item_id).then(() => {
+        getItemData(this.item_id, accessToken).then(() => {
           this.itemDataLoaded = true;
           this.refcode = this.item_data.refcode;
           this.$nextTick(() => {
@@ -320,7 +326,6 @@ export default {
         });
       }
     },
-
     async updateBlocks() {
       if (this.itemDataLoaded) {
         // update each block asynchronously

From c172b04f1af3a0272ffd5c0f867e8f3ef6046f56 Mon Sep 17 00:00:00 2001
From: Benjamin CHARMES <benjamin.charmes@gmail.com>
Date: Thu, 4 Sep 2025 11:17:27 +0200
Subject: [PATCH 7/8] Use DialogService to generate and invalidate Public
 QRCode and Tokens

---
 pydatalab/src/pydatalab/routes/v0_1/admin.py |   1 +
 pydatalab/src/pydatalab/routes/v0_1/items.py |  14 ++-
 webapp/src/components/DialogModal.vue        |  22 +++-
 webapp/src/components/QRCode.vue             | 103 ++++++++++++-------
 webapp/src/components/TokenTable.vue         |  28 +++--
 5 files changed, 118 insertions(+), 50 deletions(-)

diff --git a/pydatalab/src/pydatalab/routes/v0_1/admin.py b/pydatalab/src/pydatalab/routes/v0_1/admin.py
index a303e7221..7de4b408e 100644
--- a/pydatalab/src/pydatalab/routes/v0_1/admin.py
+++ b/pydatalab/src/pydatalab/routes/v0_1/admin.py
@@ -172,6 +172,7 @@ def list_access_tokens():
                     }
                 },
                 "created_by": {"$arrayElemAt": ["$user_info.display_name", 0]},
+                "created_by_info": {"$arrayElemAt": ["$user_info", 0]},
             }
         },
         {"$sort": {"created_at": -1}},
diff --git a/pydatalab/src/pydatalab/routes/v0_1/items.py b/pydatalab/src/pydatalab/routes/v0_1/items.py
index efdb80806..646564812 100644
--- a/pydatalab/src/pydatalab/routes/v0_1/items.py
+++ b/pydatalab/src/pydatalab/routes/v0_1/items.py
@@ -1232,14 +1232,26 @@ def get_access_token_info(refcode: str):
         token_hash = existing_token["token"]
         masked_token = token_hash[:8] + "..." + token_hash[-8:]
 
+        user_info = None
+        if existing_token.get("user"):
+            user_doc = flask_mongo.db.users.find_one(
+                {"_id": existing_token["user"]}, {"display_name": 1, "contact_email": 1}
+            )
+            if user_doc:
+                user_info = {
+                    "display_name": user_doc.get("display_name"),
+                    "contact_email": user_doc.get("contact_email"),
+                }
+
         return jsonify(
             {
                 "status": "success",
                 "has_token": True,
                 "token_info": {
-                    "masked_token": masked_token,
+                    "token": masked_token,
                     "created_at": existing_token["created_at"],
                     "created_by": str(existing_token["user"]),
+                    "created_by_info": user_info,
                 },
             }
         ), 200
diff --git a/webapp/src/components/DialogModal.vue b/webapp/src/components/DialogModal.vue
index f7e0eb87c..3566baa9f 100644
--- a/webapp/src/components/DialogModal.vue
+++ b/webapp/src/components/DialogModal.vue
@@ -1,8 +1,12 @@
 <template>
   <Teleport to="body">
-    <div v-if="isVisible" class="modal fade show d-block" @click.self="handleOverlayClick">
-      <div class="modal-dialog modal-dialog-centered">
-        <div class="modal-content">
+    <div
+      v-if="isVisible"
+      class="modal fade show d-block dialog-modal-overlay"
+      @click.self="handleOverlayClick"
+    >
+      <div class="modal-dialog modal-dialog-centered dialog-modal-container">
+        <div class="modal-content dialog-modal-content">
           <div class="modal-header">
             <h5 class="modal-title">{{ title }}</h5>
             <button v-if="showCloseButton" type="button" class="close" @click="cancel">
@@ -54,7 +58,7 @@
         </div>
       </div>
     </div>
-    <div v-if="isVisible" class="modal-backdrop fade show"></div>
+    <div v-if="isVisible" class="modal-backdrop fade show dialog-modal-backdrop"></div>
   </Teleport>
 </template>
 
@@ -130,3 +134,13 @@ export default {
   },
 };
 </script>
+
+<style scoped>
+.dialog-modal-overlay {
+  z-index: 9999 !important;
+}
+
+.dialog-modal-backdrop {
+  z-index: 9998 !important;
+}
+</style>
diff --git a/webapp/src/components/QRCode.vue b/webapp/src/components/QRCode.vue
index 04e03e64c..db2d60485 100644
--- a/webapp/src/components/QRCode.vue
+++ b/webapp/src/components/QRCode.vue
@@ -75,7 +75,7 @@
       <button
         class="btn btn-sm btn-outline-danger"
         :disabled="isInvalidating"
-        @click="invalidateToken"
+        @click.stop.prevent="invalidateToken"
       >
         <i class="fas fa-trash me-1"></i>Delete Token
       </button>
@@ -98,6 +98,9 @@
 
 <script>
 import QRCodeVue3 from "qrcode-vue3";
+
+import { DialogService } from "@/services/DialogService";
+
 import { FEDERATION_QR_CODE_RESOLVER_URL, QR_CODE_RESOLVER_URL, API_URL } from "@/resources.js";
 
 export default {
@@ -161,7 +164,7 @@ export default {
       }
     },
     hasExistingToken() {
-      return this.publicToken === "existing-token";
+      return this.tokenInfo && this.publicToken && this.publicToken !== "existing-token";
     },
   },
   mounted() {
@@ -178,6 +181,7 @@ export default {
       const urlParams = new URLSearchParams(window.location.search);
       const accessToken = urlParams.get("at");
       if (accessToken) {
+        this.isLoading = false;
         return;
       }
 
@@ -206,48 +210,74 @@ export default {
         this.isLoading = false;
       }
     },
-
     async generatePublicQRCode() {
-      this.isGenerating = true;
-
-      try {
-        const response = await fetch(`${API_URL}/items/${this.refcode}/issue-access-token`, {
-          method: "POST",
-          credentials: "include",
-          headers: {
-            "Content-Type": "application/json",
-          },
+      setTimeout(async () => {
+        const confirmed = await DialogService.confirm({
+          title: "Generate Public QR Code",
+          message:
+            "This will create a QR code that can be accessed by anyone without authentication. Are you sure you want to proceed?",
+          type: "warning",
+          confirmButtonText: "Generate Public QR Code",
+          cancelButtonText: "Cancel",
         });
 
-        const data = await response.json();
+        if (!confirmed) {
+          return;
+        }
 
-        if (response.ok && data.status === "success") {
-          this.publicToken = data.token;
-          this.isPublicMode = true;
-          this.tokenInfo = {
-            created_at: new Date().toISOString(),
-            created_by: this.$store.state.currentUserID,
-          };
-          this.$emit("public-token-generated", {
-            refcode: this.refcode,
-            token: data.token,
+        this.isGenerating = true;
+
+        try {
+          const response = await fetch(`${API_URL}/items/${this.refcode}/issue-access-token`, {
+            method: "POST",
+            credentials: "include",
+            headers: {
+              "Content-Type": "application/json",
+            },
           });
-        } else if (response.status === 409) {
-          this.errorMessage =
-            "A public QR code already exists for this item. Please refresh the page to see it.";
-          this.checkExistingToken();
-        } else {
-          throw new Error(data.message || "Failed to generate access token");
+
+          const data = await response.json();
+
+          if (response.ok && data.status === "success") {
+            this.publicToken = data.token;
+            this.isPublicMode = true;
+            this.tokenInfo = {
+              created_at: new Date().toISOString(),
+              created_by: this.$store.state.currentUserID,
+            };
+            this.$emit("public-token-generated", {
+              refcode: this.refcode,
+              token: data.token,
+            });
+          } else if (response.status === 409) {
+            this.errorMessage =
+              "A public QR code already exists for this item. Please refresh the page to see it.";
+            this.checkExistingToken();
+          } else {
+            throw new Error(data.message || "Failed to generate access token");
+          }
+        } catch (error) {
+          console.error("Error generating public QR code:", error);
+          this.errorMessage = `Failed to generate public QR code: ${error.message}`;
+        } finally {
+          this.isGenerating = false;
         }
-      } catch (error) {
-        console.error("Error generating public QR code:", error);
-        this.errorMessage = `Failed to generate public QR code: ${error.message}`;
-      } finally {
-        this.isGenerating = false;
-      }
+      }, 100);
     },
-
     async invalidateToken() {
+      const confirmed = await DialogService.confirm({
+        title: "Delete Public QR Code",
+        message:
+          "This will permanently invalidate the public QR code. Anyone with the current link will no longer be able to access this item. Are you sure?",
+        type: "warning",
+        confirmButtonText: "Delete Token",
+        cancelButtonText: "Cancel",
+      });
+
+      if (!confirmed) {
+        return;
+      }
+
       this.isInvalidating = true;
       this.errorMessage = null;
 
@@ -279,7 +309,6 @@ export default {
         this.isInvalidating = false;
       }
     },
-
     switchToPrivate() {
       this.isPublicMode = false;
       this.errorMessage = null;
diff --git a/webapp/src/components/TokenTable.vue b/webapp/src/components/TokenTable.vue
index 74d69b817..5b3512a2c 100644
--- a/webapp/src/components/TokenTable.vue
+++ b/webapp/src/components/TokenTable.vue
@@ -43,7 +43,13 @@
           />
         </td>
         <td align="left">{{ token.item_type || "Unknown" }}</td>
-        <td align="left">{{ token.created_by || "Unknown" }}</td>
+        <td>
+          <div v-if="token.created_by_info" class="d-flex align-items-center">
+            <UserBubble :creator="token.created_by_info" :size="24" />
+            <span class="ms-2">{{ token.created_by_info.display_name }}</span>
+          </div>
+          <span v-else class="text-muted">Unknown</span>
+        </td>
         <td align="left">{{ formatDate(token.created_at) }}</td>
         <td align="left">
           <button
@@ -71,14 +77,18 @@
 <script>
 import { API_URL } from "@/resources.js";
 
+import { DialogService } from "@/services/DialogService";
+
 import FormattedItemName from "@/components/FormattedItemName.vue";
 import FormattedRefcode from "@/components/FormattedRefcode.vue";
+import UserBubble from "@/components/UserBubble.vue";
 
 export default {
   name: "TokenTable",
   components: {
     FormattedRefcode,
     FormattedItemName,
+    UserBubble,
   },
   data() {
     return {
@@ -125,17 +135,19 @@ export default {
         this.isLoading = false;
       }
     },
-
     async confirmInvalidateToken(token) {
-      if (
-        window.confirm(
-          `Are you sure you want to invalidate the access token for ${token.item_id} (${token.refcode})?`,
-        )
-      ) {
+      const confirmed = await DialogService.confirm({
+        title: "Invalidate Access Token",
+        message: `Are you sure you want to invalidate the access token for <strong>${token.item_id}</strong> (${token.refcode})? <br><br>This action cannot be undone and will immediately block access for anyone using this token.`,
+        type: "error",
+        confirmButtonText: "Invalidate Token",
+        cancelButtonText: "Cancel",
+      });
+
+      if (confirmed) {
         await this.invalidateToken(token);
       }
     },
-
     async invalidateToken(token) {
       this.invalidatingTokens.add(token._id);
 

From 920beb16e704ba68735461b564750ecc4e48cecb Mon Sep 17 00:00:00 2001
From: Benjamin CHARMES <benjamin.charmes@gmail.com>
Date: Thu, 4 Sep 2025 13:47:21 +0200
Subject: [PATCH 8/8] Change button style and fix pytest

Small pytest fix

Small pytest fix

Small pytest fix

Small pytest fix

Small pytest fix
---
 pydatalab/src/pydatalab/routes/v0_1/admin.py |  9 +---
 pydatalab/src/pydatalab/routes/v0_1/items.py | 26 +----------
 pydatalab/tests/server/test_permissions.py   | 10 ++--
 webapp/src/components/QRCode.vue             | 48 ++++++++++++--------
 webapp/src/components/TokenTable.vue         |  4 +-
 webapp/src/views/EditPage.vue                |  5 +-
 6 files changed, 40 insertions(+), 62 deletions(-)

diff --git a/pydatalab/src/pydatalab/routes/v0_1/admin.py b/pydatalab/src/pydatalab/routes/v0_1/admin.py
index 7de4b408e..bd2d0c74d 100644
--- a/pydatalab/src/pydatalab/routes/v0_1/admin.py
+++ b/pydatalab/src/pydatalab/routes/v0_1/admin.py
@@ -99,15 +99,10 @@ def save_role(user_id):
 
 @ADMIN.route("/items/<refcode>/invalidate-access-token", methods=["POST"])
 def invalidate_access_token(refcode: str):
-    request_json = request.get_json(silent=True) or {}
-
     if len(refcode.split(":")) != 2:
         refcode = f"{CONFIG.IDENTIFIER_PREFIX}:{refcode}"
 
-    if request_json.get("token") == "admin-invalidation":
-        query = {"refcode": refcode, "active": True, "type": "access_token"}
-    else:
-        query = {"refcode": refcode, "active": True, "type": "access_token"}
+    query = {"refcode": refcode, "active": True, "type": "access_token"}
 
     response = flask_mongo.db.api_keys.update_one(
         query,
@@ -155,7 +150,7 @@ def list_access_tokens():
                 "active": 1,
                 "created_at": 1,
                 "invalidated_at": 1,
-                "token": {"$substr": ["$token", 0, 16]},
+                "token": "$token",
                 "item_name": {
                     "$cond": {
                         "if": {"$gt": [{"$size": "$item_info"}, 0]},
diff --git a/pydatalab/src/pydatalab/routes/v0_1/items.py b/pydatalab/src/pydatalab/routes/v0_1/items.py
index 646564812..f0c8d4a87 100644
--- a/pydatalab/src/pydatalab/routes/v0_1/items.py
+++ b/pydatalab/src/pydatalab/routes/v0_1/items.py
@@ -754,7 +754,6 @@ def update_item_permissions(refcode: str):
 
 
 @ITEMS.route("/items/<refcode>/issue-access-token", methods=["POST"])
-@active_users_or_get_only
 def issue_physical_token(refcode: str):
     """Issue a token that will give semi-permanent access to an
     item with this refcode. This should be used when generating
@@ -872,14 +871,9 @@ def get_item_data(item_id: str | None = None, refcode: str | None = None):
             redirect_url += f"?at={access_token}"
         return redirect(redirect_url, code=307)
 
-    valid_access_token: bool = False
+    valid_access_token = False
     if refcode and access_token:
         valid_access_token = check_access_token(refcode, access_token)
-        if not valid_access_token:
-            return (
-                jsonify({"status": "error", "message": "Invalid access token"}),
-                401,
-            )
 
     if item_id:
         match = {"item_id": item_id}
@@ -932,24 +926,6 @@ def get_item_data(item_id: str | None = None, refcode: str | None = None):
             404,
         )
 
-    if valid_access_token:
-        pass
-
-    elif (
-        not current_user.is_authenticated
-        and not CONFIG.TESTING
-        and doc["type"] != "starting_materials"
-    ):
-        return (
-            jsonify(
-                {
-                    "status": "error",
-                    "message": "Authentication required or invalid access token.",
-                }
-            ),
-            401,
-        )
-
     # determine the item type and validate according to the appropriate schema
     try:
         ItemModel = ITEM_MODELS[doc["type"]]
diff --git a/pydatalab/tests/server/test_permissions.py b/pydatalab/tests/server/test_permissions.py
index b42a25486..4d96e5f5c 100644
--- a/pydatalab/tests/server/test_permissions.py
+++ b/pydatalab/tests/server/test_permissions.py
@@ -89,25 +89,25 @@ def test_basic_permissions_update(admin_client, admin_user_id, client, user_id):
 def test_access_token_permissions(client, unauthenticated_client, admin_client, database):
     response = client.post("/new-sample/", json={"type": "samples", "item_id": "private-sample"})
     assert response.status_code == 201
-    response = response.json()
+    response = response.json
 
     refcode = response["sample_list_entry"]["refcode"]
     assert refcode
 
-    response = client.get(f"/items/{refcode}/issue-access-token")
-    response = response.json()
+    response = client.post(f"/items/{refcode}/issue-access-token")
+    response = response.json
     assert response["status"] == "success"
     token = response["token"]
     assert token
 
     response = unauthenticated_client.get(f"/items/{refcode}")
-    assert response.status_code == 404
+    assert response.status_code == 401
 
     response = unauthenticated_client.get(f"/items/{refcode}?at={token}")
     assert response.status_code == 200
 
     response = unauthenticated_client.get(f"/items/{refcode}?at={token}123")
-    assert response.status_code == 200
+    assert response.status_code == 401
 
     response = admin_client.get(f"/items/{refcode}")
     assert response.status_code == 200
diff --git a/webapp/src/components/QRCode.vue b/webapp/src/components/QRCode.vue
index db2d60485..fd7b32d47 100644
--- a/webapp/src/components/QRCode.vue
+++ b/webapp/src/components/QRCode.vue
@@ -40,13 +40,22 @@
 
   <div v-else-if="!isPublicMode" class="mt-3">
     <div class="alert alert-info">
-      <strong>Generate Public QR Code:</strong><br />
-      This QR code requires authentication to access. You can generate a public QR code that allows
-      access without login.
+      <strong v-if="hasExistingToken">Public QR Code Available:</strong>
+      <strong v-else>Generate Public QR Code:</strong>
+      <br />
+      <span v-if="hasExistingToken">
+        A public QR code already exists for this item. You can view it or generate a new one if
+        needed.
+      </span>
+      <span v-else>
+        This QR code requires authentication to access. You can generate a public QR code that
+        allows access without login.
+      </span>
     </div>
 
     <button
-      class="btn btn-warning w-100"
+      class="btn w-100"
+      :class="hasExistingToken ? 'btn-info' : 'btn-warning'"
       :disabled="isGenerating"
       @click.prevent="hasExistingToken ? switchToPublic() : generatePublicQRCode()"
     >
@@ -68,17 +77,21 @@
       </div>
     </div>
 
-    <div class="d-flex justify-content-center">
-      <button class="btn btn-sm btn-outline-primary mr-2" @click="switchToPrivate">
-        <i class="fas fa-eye me-1"></i>View Private QRCode
-      </button>
-      <button
-        class="btn btn-sm btn-outline-danger"
-        :disabled="isInvalidating"
-        @click.stop.prevent="invalidateToken"
-      >
-        <i class="fas fa-trash me-1"></i>Delete Token
-      </button>
+    <div class="row g-2">
+      <div class="col-6">
+        <button class="btn btn-outline-info w-100" @click="switchToPrivate">
+          <i class="fas fa-eye me-1"></i>View Private QRCode
+        </button>
+      </div>
+      <div class="col-6">
+        <button
+          class="btn btn-outline-danger w-100"
+          :disabled="isInvalidating"
+          @click.stop.prevent="invalidateToken"
+        >
+          <i class="fas fa-trash me-1"></i>Delete Token
+        </button>
+      </div>
     </div>
   </div>
 
@@ -164,7 +177,7 @@ export default {
       }
     },
     hasExistingToken() {
-      return this.tokenInfo && this.publicToken && this.publicToken !== "existing-token";
+      return this.tokenInfo && this.publicToken === "existing-token";
     },
   },
   mounted() {
@@ -196,8 +209,7 @@ export default {
         if (response.ok && data.status === "success") {
           if (data.has_token) {
             this.tokenInfo = data.token_info;
-            this.isPublicMode = true;
-            this.publicToken = data.token_info.token;
+            this.publicToken = "existing-token";
           }
         } else if (response.status === 404) {
           console.debug("No access to item or item not found");
diff --git a/webapp/src/components/TokenTable.vue b/webapp/src/components/TokenTable.vue
index 5b3512a2c..c96e7fa7c 100644
--- a/webapp/src/components/TokenTable.vue
+++ b/webapp/src/components/TokenTable.vue
@@ -14,9 +14,7 @@
     <tbody>
       <tr v-if="isLoading">
         <td colspan="6" class="text-center">
-          <div class="spinner-border spinner-border-sm" role="status">
-            <span class="visually-hidden">Loading...</span>
-          </div>
+          <div class="spinner-border spinner-border-sm" role="status"></div>
           Loading tokens...
         </td>
       </tr>
diff --git a/webapp/src/views/EditPage.vue b/webapp/src/views/EditPage.vue
index b62754c47..f88c29d0b 100644
--- a/webapp/src/views/EditPage.vue
+++ b/webapp/src/views/EditPage.vue
@@ -91,7 +91,7 @@
       </div>
     </div>
 
-    <FileSelectModal v-if="isAuthenticated" :item_id="item_id" />
+    <FileSelectModal :item_id="item_id" />
   </div>
 </template>
 
@@ -212,9 +212,6 @@ export default {
     itemApiUrl() {
       return API_URL + "/items/" + this.refcode;
     },
-    isAuthenticated() {
-      return this.$store.state.currentUserID != null;
-    },
   },
   watch: {
     // add a warning before leaving page if unsaved