Switched basic auth to jwt

[chris-adam]

Summary by CodeRabbit

• New Features

  • Switched external session auth from Basic to JWT Bearer tokens for stricter authentication and validation.

• Documentation

  • Changelog updated to reflect the authentication changes.

• Dependencies

  • Raised minimum required version of imio.helpers to >1.3.10 to support the new authentication flow.

[chris-adam]

C'est ok pour les calls vers le MS signature. Reste à authentifier les tokens venant du MS

[chris-adam]

TODO Faire une release 1.3.11 de imio.helpers
IMIO/imio.helpers#41

[chris-adam]

@jeanmoulart Est-ce que c'est le bon groupe ? J'ai l'impression que ce n'est pas très logique. ça donnerait accès à tous les apps qui devraient contacter le MS signature, hors c'est plutôt le MS signature qui devra nous contacter

[jeanmoulart]

Oui, ça devrait plutôt être access_ia-delib ou un truc du genre

[chris-adam]

Ah oui, nickel, je viens de voir qu'ils ont eu la même problématique entre délib et vision. Ils ont mis à jour la doc en conséquence.

j'ai changé pour le groupe "access_imio-apps-docs". Il faudra adapter ça sur votre user keycloak apps. Vous pourrez tester les notifications avec JWT début de semaine prochaine je pense.

[sgeulette]

je ne fais pas le merge: en attente du merge de imio.helpers

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

---

📝 Walkthrough

Walkthrough

This PR switches authentication from Basic auth (base64-encoded credentials) to Bearer token (JWT) authentication. It removes ESIGN_CREDENTIALS env var usage, updates create_external_session to obtain a Bearer token, enforces token verification in the microservice, and raises imio.helpers dependency to >1.3.10.

Changes

Cohort / File(s)	Summary
Documentation & Dependencies CHANGES.rst, setup.py	Added changelog entry documenting switch to JWT/Bearer auth. Updated imio.helpers dependency to require >1.3.10.
Package Initialization src/imio/esign/__init__.py	Removed ESIGN_CREDENTIALS environment variable initialization.
Browser View Layer src/imio/esign/browser/views.py	Removed import/use of ESIGN_CREDENTIALS; stopped passing credentials to create_external_session.
Session Utility Functions src/imio/esign/utils.py	Removed b64_cred parameter. Now obtains a Bearer token via get_auth_token() and sends Authorization: Bearer {token} using requests.post(..., timeout=...) (removed Basic auth and post_request wrapper).
Microservice Authorization src/imio/esign/services/external_session_feedback.py	Replaced permissive auth check with Bearer flow: requires Authorization: Bearer ..., verifies token with verify_auth_token (restricting to access_imio-apps-docs), and returns 403 on failure. Also appended a microservice session state string.

Sequence Diagram

sequenceDiagram
    actor Client
    participant BrowserView as Browser View
    participant Utils as Session Utils
    participant ExternalService as External Session Service
    participant AuthLib as Auth Library\n(imio.helpers.ws)

    Client->>BrowserView: request external session
    BrowserView->>Utils: create_external_session(session_id, url)
    Utils->>AuthLib: get_auth_token()
    AuthLib-->>Utils: Bearer token
    Utils->>ExternalService: POST /external_sessions\nAuthorization: Bearer {token}
    ExternalService->>AuthLib: verify_auth_token(token)
    alt token valid & in group
        AuthLib-->>ExternalService: verified
        ExternalService-->>Utils: session created (200)
    else invalid or missing token
        AuthLib-->>ExternalService: verification failed
        ExternalService-->>Utils: 403 Forbidden
    end
    Utils-->>BrowserView: result
    BrowserView-->>Client: response

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐰 I tossed the base64 bunnies in the night,
And let a Bearer token take the flight.
Microservices now guard their door,
imio.helpers bumped—secure once more.
The rabbit hops, all tidy and light! ✨🐇

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: switching authentication from basic auth to JWT across multiple files and authentication flows.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch SE-308/jwt_auth

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@setup.py`:
- Line 58: Update the dependency constraint in setup.py from
"imio.helpers>1.3.10" to "imio.helpers>=1.3.9" to allow the package that
introduced get_auth_token in 1.3.9; then locate any imports of verify_auth_token
(e.g., from imio.helpers or imio.helpers.ws) in the codebase and confirm the
correct module path (adjust imports to imio.helpers.ws if verify_auth_token
lives there or correct the name if it belongs elsewhere) so the import matches
the actual symbol location.

In `@src/imio/esign/services/external_session_feedback.py`:
- Around line 99-106: The code reads a private auth header and can pass an empty
token to verify_auth_token; replace use of self.request._auth with the public
header accessor (e.g., self.request.getHeader("Authorization")), ensure the
header starts with "Bearer ", split safely and reject empty tokens (i.e., after
splitting check token is truthy), and return False before calling
verify_auth_token if the token is missing or empty; update references to
auth_header and the token extraction logic around verify_auth_token accordingly.

In `@src/imio/esign/utils.py`:
- Around line 165-170: The requests.post call that assigns to ret (posting to
session_url with headers, data_payload and files_payload) is missing a timeout
and can hang; update the call in utils.py to pass a timeout parameter (e.g.,
timeout=10 or a configurable constant) to requests.post, or read a timeout from
existing configuration if available, so the function will raise on network
timeouts instead of blocking indefinitely.

🧹 Nitpick comments (2)

src/imio/esign/utils.py (1)

159-162: Consider handling get_auth_token() failure.

If get_auth_token() fails or returns an invalid value, the request will proceed with a malformed Authorization header. Depending on how get_auth_token() behaves on failure (raises exception vs returns None), you may want explicit error handling here to provide a clearer error message.

src/imio/esign/services/external_session_feedback.py (1)

109-115: Remove duplicate state documentation.

This module-level docstring duplicates the information already present inside the class (lines 87-95). Consider keeping only one version to avoid maintenance burden.