cal-itp / eligibility-api Goto Github PK

Authlib provides a little bit of a higher-level abstraction from jwcrypto (it depends on jwcrypto), especially around working with JWT/JSW/JWE (JOSE): https://docs.authlib.org/en/latest/jose/index.html

An added benefit (get it?) is that benefits uses Authlib for its OAuth/OIDC integration, and so already has a dependency on it (as currently the only consumer of this library).

As a first-pass consolidation, we should extract code with as minimal changes as possible from benefits and eligibility-server.

It would also be good to add the configuration to make this a Python package so that benefits and eligibility-server can add it to their requirements.txt.

Cases not covered yet:

• TokenError("JWE token decryption failed")
• TokenError("Invalid JWS token")

See discussion from cal-itp/benefits#575 (comment) and coverage screenshot in cal-itp/benefits#575 (comment)

It's also possible that this issue ends up being moved to eligibility-api since cal-itp/benefits#141 is on our horizon.

I think it can be a separate pull request to set up GitHub workflows for

• running these tests in CI
• publishing the coverage report to the eligibility-api docs site

Originally posted by @angela-tran in #32 (comment)

Devcontainer requirements could be in a requirements.txt file and installed from there.

In the future if we need to worry about pinning dependencies or anything, having them in a requirements.txt allows for Dependabot and other tooling to more easily work with them.

Originally posted by @thekaveman in #3 (comment)

@machikoyasuda @angela-tran this can be set up easily with our workflow templates:

From https://github.com/cal-itp/.github/tree/main/workflow-templates

Originally posted by @thekaveman in #41 (comment)

See cal-itp/benefits#853 (comment)

See #3

The docs are great at explaining the specification, but it's not clear to me how to implement an Eligibility API using this package.

From #7 (comment)

I think we will want the first docs page to be a little more general / about the library, maybe some quick usage samples, etc.

The pre-commit.yml workflow file is sitting in .github/, but it needs to be in the subdirectory .github/workflows for Actions to be able to run it.

See compilerla/conventional-pre-commit for an example of a publish workflow that:

1. Publishes to Test PyPI when a pre-release is made on the repo
2. Publishes to PyPI when a release is made on the repo

We'll want to use the @cal-itp-bot account to do this - we'll have to generate an API token for each of Test and regular PyPI using the Bot's account on each, and store in GH secrets in this repo.

We should have unit tests for Client and its verify method.

For these tests, maybe we could use the responses package to mock the verifying server.

Required files

• LICENSE.md
• README.md
• .gitignore

The docs should have notes similar to the ones for Benefits on making a release.

Modeled after the Composing a message section, describe the reverse process for decrypting a token and verifying the signature.