Add authentication/authorization to the API

[mikesmit]

Currently we do not expect or process any authentication token from the clients using our API. The scope of this task is to update the API to process the authentication token, when provided, and then use it to authorize a subset of operations where appropriate.

Scope includes determining which operations should be constrained with authorization, but that must include at least editing a user profile.

[mikesmit]

picking up the first iteration of this. Looking first at what we do with the household API.

[mikesmit]

TLDR

I have a branch we can use to test auth. Currently the back end will not accept our tokens.

Probable next steps

1. Fix typo setting header to "Authentication" instead of "Authorization" (does not block testing. see below)
2. Follow this guide to define and configure the API for the SPA in auth0, but there are problems

• It explicitly recommends a flow for SPA that (When you click on the link) explicitly tells you not to use that flow for SPA.
• I don't think we want/need all the stuff it makes you set up, but the auth libraries seem to want it (unclear if it's impossible to avoid or just not clearly documented)
• I don't know what it costs to turn on the authorization extension (required by the above)

The current error

Ignoring the header type issue (which I fixed by fixing my curl command).

The immediate error is that the token has a header "alg" which is set to "dir" and the parser library for the token does not support that option. (I have directly confirmed this error via debug)

why is it set to 'dir'?
Based on this post here (I have not independently confirmed this is true) this is what the client library does unless you specify an "audience" (the API).

At least according to the SPA API Guide, doing that requires enabling the "Authorization extension" which we don't currently have and which provides a lot more functionality than we actually need or want.

What I have and how to try it

0. Download branch 2063_add_auth_to_api of the API.
1. Go to our website (either the public link or a local running instance)
2. navigate to the user profile with the debug window open
3. in the "network" tab of the browser debug find the request for the user-profile resource
4. right click and copy as "curl"
5. edit the curl as follows
   6. remove all the headers except Authentication
   7. rename "Authentication" to "Authorization"
   8. change the URL to your locally running API (http://localhost:5000/...)
6. Run the curl
7. to actually find the detailed root cause for errors I had to run in debug mode and trace errors. In vscode this launch worked for me:

{
    // Use IntelliSense to learn about possible attributes.
    // Hover to view descriptions of existing attributes.
    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
    "version": "0.2.0",
    "configurations": [
        {
            "name": "Python Debugger: Flask",
            "type": "debugpy",
            "request": "launch",
            "module": "flask",
            "env": {
                "FLASK_APP": "policyengine_api.api",
                "FLASK_DEBUG": "1"
            },
            "args": [
                "run",
                "--no-debugger",
                "--no-reload",
                "--without-threads"
            ],
            "jinja": true,
            "autoStartBrowser": false,
            "justMyCode": false
        }
    ]
}

[mikesmit]

I don't see any updates so I'm picking this back up.

1. Will put in fix for the UI typo
2. Will confirm the preferred path for enabling SPA auth
3. Will check the cost of that preferred path and confirm with Max before turning it on.

That should make it possible to test the API with the new token and make any further adjustments required.

[mikesmit]

Based on the following, we are using the PKCE login workflow already so no need to change anything there.

1. Call Your API Using the Authorization Code Flow with PKCE points to
2. Add Login Using the Authorization Code Flow with PKCE which then says the SDK Does it and points to
3. Add Login to Your React Application
4. Watched the network traffic when logging in and confirmed the auth CDK redirect includes the code_challenge query parameter.

[mikesmit]

Took a stab at setting things up as per the SPI API documentation.

The first step is to add a new API. It looks like that exceeds our current limit. We may be able to re-use the application we already have at least to demonstrate everything working together.

I suspect we will run into similar issues on the second step: Enabling the Authorization Extension.

[mikesmit]

Attempted to install the extension and just got "Error!There was an error submitting the form. Please try again." based on this discussion that is likely an issue of reaching account limits.

[mikesmit]

TLDR: there are two issues with setting up SPA/API auth related to resource constraints and we should probably upgrade to the paid version.

Details:

1. **I can't add another API in the Auth0 console due to limits. ** - when you request the JWT for the API you need to provide an "audience" which in this context is an API defined in auth0. We currently define one, household API, and cannot define another under the current constraints. There are two possible paths here
   • we could use one API for everything there is not actually any functional reason we have to have two APIs in oauth. We could use household as an audience for both.
   • upgrade auth0 account then we could define a second one.
2. I can't install the "Authorization Extension" - this is required to associate an SPA application defined in the auth0 console with an API. Currently it fails with a very generic error that discussion on the forum indicates is related to a resource constraint. There are some options here:
   • clean up some resources - it's not clear which resources are the issue, but the forum discussion said removing some applications helped.
   • upgrade auth0 account presumably this would not be an issue.

[mikesmit]

Updated the auth account:

• Upgraded the auth0 account.
• Enabled the Auth0 Authorization Extension
• Added a new API for the web app api ("https://api.policyengine.org/")
• I did not actually configure any App/API permissions, but apparently that's enough.

locally updated the app

• Updated the provider to specify the API as audience
• Updated the fetch to also specify the API as audience
• If I force a re-login, the app will now generate a proper JWT.

Two outcomes

1. I don't actually think we need the Auth0 extension. So it's possible we could do this without upgrading (we'd still need an API)
2. This won't work until all our users get a new refresh token with that audience (forcing a login makes this happen at minimum)

[mikesmit]

Verified the new bearer tokens from the front end (PR incoming) work with the back end.