Blind authentication (#675)

* auth server

* cleaning up

* auth ledger class

* class variables -> instance variables

* annotations

* add models and api route

* custom amount and api prefix

* add auth db

* blind auth token working

* jwt working

* clean up

* JWT works

* using openid connect server

* use oauth server with password flow

* new realm

* add keycloak docker

* hopefully not garbage

* auth works

* auth kinda working

* fix cli

* auth works for send and receive

* pass auth_db to Wallet

* auth in info

* refactor

* fix supported

* cache mint info

* fix settings and endpoints

* add description to .env.example

* track changes for openid connect client

* store mint in db

* store credentials

* clean up v1_api.py

* load mint info into auth wallet

* fix first login

* authenticate if refresh token fails

* clear auth also middleware

* use regex

* add cli command

* pw works

* persist keyset amounts

* add errors.py

* do not start auth server if disabled in config

* upadte poetry

* disvoery url

* fix test

* support device code flow

* adopt latest spec changes

* fix code flow

* mint max bat dynamic

* mypy ignore

* fix test

* do not serialize amount in authproof

* all auth flows working

* fix tests

* submodule

* refactor

* test

* dont sleep

* test

* add wallet auth tests

* test differently

* test only keycloak for now

* fix creds

* daemon

* fix test

* install everything

* install jinja

* delete wallet for every test

* auth: use global rate limiter

* test auth rate limit

* keycloak hostname

* move keycloak test data

* reactivate all tests

* add readme

* load proofs

* remove unused code

* remove unused code

* implement change suggestions by ok300

* add error codes

* test errors

tests/keycloak_data/docker-compose-restore.yml

@@ -0,0 +1,45 @@
+services:
+  postgres:
+    image: postgres:16.4
+    volumes:
+      - ./postgres_data:/var/lib/postgresql/data
+    environment:
+      POSTGRES_DB: cashu
+      POSTGRES_USER: cashu
+      POSTGRES_PASSWORD: cashu
+    networks:
+      - keycloak_network
+
+  keycloak:
+    image: quay.io/keycloak/keycloak:25.0.6
+    command: start --import-realm
+    volumes:
+      - ./keycloak-export:/opt/keycloak/data/import
+    environment:
+      KC_HOSTNAME: localhost
+      KC_HOSTNAME_PORT: 8080
+      KC_HOSTNAME_STRICT_BACKCHANNEL: false
+      KC_HTTP_ENABLED: true
+      KC_HOSTNAME_STRICT_HTTPS: false
+      KC_HEALTH_ENABLED: true
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: admin
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://postgres/cashu
+      KC_DB_USERNAME: cashu
+      KC_DB_PASSWORD: cashu
+    ports:
+      - 8080:8080
+    restart: always
+    depends_on:
+      - postgres
+    networks:
+      - keycloak_network
+
+volumes:
+  postgres_data:
+    driver: local
+
+networks:
+  keycloak_network:
+    driver: bridge

tests/keycloak_data/keycloak-export/master-users-0.json

@@ -0,0 +1,26 @@
+{
+  "realm" : "master",
+  "users" : [ {
+    "id" : "0ff227f7-c163-4fca-9ae4-c8751c725421",
+    "username" : "admin",
+    "emailVerified" : false,
+    "createdTimestamp" : 1727128354842,
+    "enabled" : true,
+    "totp" : false,
+    "credentials" : [ {
+      "id" : "11a5f9ed-19c9-4164-be31-28ce6e23955b",
+      "type" : "password",
+      "createdDate" : 1727128354904,
+      "secretData" : "{\"value\":\"s/6M2/FCFd1fOyHJRMvOLvKM7e2JIOC6LZ3ovFVkGi8=\",\"salt\":\"Zjn7ChOL5688O84xf1ElGA==\",\"additionalParameters\":{}}",
+      "credentialData" : "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}"
+    } ],
+    "disableableCredentialTypes" : [ ],
+    "requiredActions" : [ ],
+    "realmRoles" : [ "default-roles-master", "admin" ],
+    "clientRoles" : {
+      "nutshell-realm" : [ "query-realms", "query-users", "manage-identity-providers", "manage-authorization", "view-identity-providers", "view-realm", "view-authorization", "query-clients", "manage-clients", "create-client", "view-events", "manage-events", "manage-realm", "manage-users", "view-users", "view-clients", "query-groups" ]
+    },
+    "notBefore" : 0,
+    "groups" : [ ]
+  } ]
+}

tests/keycloak_data/keycloak-export/nutshell-users-0.json

@@ -0,0 +1,53 @@
+{
+  "realm" : "nutshell",
+  "users" : [ {
+    "id" : "c4fc742a-700f-4c83-96f2-8777c8bb56d1",
+    "username" : "asd@asd.com",
+    "firstName" : "asd",
+    "lastName" : "asd",
+    "email" : "asd@asd.com",
+    "emailVerified" : false,
+    "createdTimestamp" : 1727128876722,
+    "enabled" : true,
+    "totp" : false,
+    "credentials" : [ {
+      "id" : "23ea2b79-9c09-4133-b53b-2708258da890",
+      "type" : "password",
+      "createdDate" : 1727128876754,
+      "secretData" : "{\"value\":\"fDXqE3IjxS5uIYfn9eYgW5GwokWvGsg2wWY0lOgeYyE=\",\"salt\":\"Wlb5f8yPTh4QreuC99b7Zg==\",\"additionalParameters\":{}}",
+      "credentialData" : "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}"
+    } ],
+    "disableableCredentialTypes" : [ ],
+    "requiredActions" : [ ],
+    "realmRoles" : [ "default-roles-nutshell" ],
+    "clientConsents" : [ {
+      "clientId" : "cashu-client",
+      "grantedClientScopes" : [ "email", "roles", "profile" ],
+      "createdDate" : 1732651444894,
+      "lastUpdatedDate" : 1732651444908
+    } ],
+    "notBefore" : 0,
+    "groups" : [ ]
+  }, {
+    "id" : "43a16bd6-f5c5-4dfa-bcd4-6a5540564797",
+    "username" : "callebtc@protonmail.com",
+    "firstName" : "asdasd",
+    "lastName" : "asdasdasdasd",
+    "email" : "callebtc@protonmail.com",
+    "emailVerified" : false,
+    "createdTimestamp" : 1732639511706,
+    "enabled" : true,
+    "totp" : false,
+    "credentials" : [ ],
+    "disableableCredentialTypes" : [ ],
+    "requiredActions" : [ ],
+    "federatedIdentities" : [ {
+      "identityProvider" : "github",
+      "userId" : "93376500",
+      "userName" : "callebtc"
+    } ],
+    "realmRoles" : [ "default-roles-nutshell" ],
+    "notBefore" : 0,
+    "groups" : [ ]
+  } ]
+}