Blind authentication (#675)

* auth server

* cleaning up

* auth ledger class

* class variables -> instance variables

* annotations

* add models and api route

* custom amount and api prefix

* add auth db

* blind auth token working

* jwt working

* clean up

* JWT works

* using openid connect server

* use oauth server with password flow

* new realm

* add keycloak docker

* hopefully not garbage

* auth works

* auth kinda working

* fix cli

* auth works for send and receive

* pass auth_db to Wallet

* auth in info

* refactor

* fix supported

* cache mint info

* fix settings and endpoints

* add description to .env.example

* track changes for openid connect client

* store mint in db

* store credentials

* clean up v1_api.py

* load mint info into auth wallet

* fix first login

* authenticate if refresh token fails

* clear auth also middleware

* use regex

* add cli command

* pw works

* persist keyset amounts

* add errors.py

* do not start auth server if disabled in config

* upadte poetry

* disvoery url

* fix test

* support device code flow

* adopt latest spec changes

* fix code flow

* mint max bat dynamic

* mypy ignore

* fix test

* do not serialize amount in authproof

* all auth flows working

* fix tests

* submodule

* refactor

* test

* dont sleep

* test

* add wallet auth tests

* test differently

* test only keycloak for now

* fix creds

* daemon

* fix test

* install everything

* install jinja

* delete wallet for every test

* auth: use global rate limiter

* test auth rate limit

* keycloak hostname

* move keycloak test data

* reactivate all tests

* add readme

* load proofs

* remove unused code

* remove unused code

* implement change suggestions by ok300

* add error codes

* test errors

.env.example

@@ -133,3 +133,21 @@ LIGHTNING_RESERVE_FEE_MIN=2000
 # MINT_GLOBAL_RATE_LIMIT_PER_MINUTE=60
 # Determines the number of transactions (mint, melt, swap) allowed per minute per IP
 # MINT_TRANSACTION_RATE_LIMIT_PER_MINUTE=20
+
+# Authentication
+# These settings allow you to enable blind authentication to limit the user of your mint to a group of authenticated users.
+# To use this, you need to set up an OpenID Connect provider like Keycloak, Auth0, or Hydra.
+# - Add the client ID "cashu-client"
+# - Enable the ES256 and RS256 algorithms for this client
+# - If you want to use the authorization flow, you must add the redirect URI "http://localhost:33388/callback".
+# - To support other wallets, use the well-known list of allowed redirect URIs here: https://...TODO.md
+#
+# Turn on authentication
+# MINT_REQUIRE_AUTH=TRUE
+# OpenID Connect discovery URL of the authentication provider
+# MINT_AUTH_OICD_DISCOVERY_URL=http://localhost:8080/realms/nutshell/.well-known/openid-configuration
+# MINT_AUTH_OICD_CLIENT_ID=cashu-client
+# Number of authentication attempts allowed per minute per user
+# MINT_AUTH_RATE_LIMIT_PER_MINUTE=5
+# Maximum number of blind auth tokens per authentication request
+# MINT_AUTH_MAX_BLIND_TOKENS=100