Blind authentication (#675)

* auth server

* cleaning up

* auth ledger class

* class variables -> instance variables

* annotations

* add models and api route

* custom amount and api prefix

* add auth db

* blind auth token working

* jwt working

* clean up

* JWT works

* using openid connect server

* use oauth server with password flow

* new realm

* add keycloak docker

* hopefully not garbage

* auth works

* auth kinda working

* fix cli

* auth works for send and receive

* pass auth_db to Wallet

* auth in info

* refactor

* fix supported

* cache mint info

* fix settings and endpoints

* add description to .env.example

* track changes for openid connect client

* store mint in db

* store credentials

* clean up v1_api.py

* load mint info into auth wallet

* fix first login

* authenticate if refresh token fails

* clear auth also middleware

* use regex

* add cli command

* pw works

* persist keyset amounts

* add errors.py

* do not start auth server if disabled in config

* upadte poetry

* disvoery url

* fix test

* support device code flow

* adopt latest spec changes

* fix code flow

* mint max bat dynamic

* mypy ignore

* fix test

* do not serialize amount in authproof

* all auth flows working

* fix tests

* submodule

* refactor

* test

* dont sleep

* test

* add wallet auth tests

* test differently

* test only keycloak for now

* fix creds

* daemon

* fix test

* install everything

* install jinja

* delete wallet for every test

* auth: use global rate limiter

* test auth rate limit

* keycloak hostname

* move keycloak test data

* reactivate all tests

* add readme

* load proofs

* remove unused code

* remove unused code

* implement change suggestions by ok300

* add error codes

* test errors

cashu/core/settings.py

@@ -68,6 +68,8 @@ class MintSettings(CashuSettings):
 class MintDeprecationFlags(MintSettings):
     mint_inactivate_base64_keysets: bool = Field(default=False)
 
+    auth_database: str = Field(default="data/mint")
+
 
 class MintBackends(MintSettings):
     mint_lightning_backend: str = Field(default="")  # deprecated
@@ -231,6 +233,27 @@ class CoreLightningRestFundingSource(MintSettings):
     mint_corelightning_rest_cert: Optional[str] = Field(default=None)
 
 
+class AuthSettings(MintSettings):
+    mint_require_auth: bool = Field(default=False)
+    mint_auth_oicd_discovery_url: Optional[str] = Field(default=None)
+    mint_auth_oicd_client_id: str = Field(default="cashu-client")
+    mint_auth_rate_limit_per_minute: int = Field(
+        default=5,
+        title="Auth rate limit per minute",
+        description="Number of requests a user can authenticate per minute.",
+    )
+    mint_auth_max_blind_tokens: int = Field(default=100, gt=0)
+    mint_require_clear_auth_paths: List[List[str]] = [
+        ["POST", "/v1/auth/blind/mint"],
+    ]
+    mint_require_blind_auth_paths: List[List[str]] = [
+        ["POST", "/v1/swap"],
+        ["POST", "/v1/mint/quote/bolt11"],
+        ["POST", "/v1/mint/bolt11"],
+        ["POST", "/v1/melt/bolt11"],
+    ]
+
+
 class MintRedisCache(MintSettings):
     mint_redis_cache_enabled: bool = Field(default=False)
     mint_redis_cache_url: Optional[str] = Field(default=None)
@@ -246,6 +269,7 @@ class Settings(
     FakeWalletSettings,
     MintLimits,
     MintBackends,
+    AuthSettings,
     MintRedisCache,
     MintDeprecationFlags,
     MintSettings,