Add authentication/authorization to the API

[mikesmit]

Currently we do not expect or process any authentication token from the clients using our API. The scope of this task is to update the API to process the authentication token, when provided, and then use it to authorize a subset of operations where appropriate.

Scope includes determining which operations should be constrained with authorization, but that must include at least editing a user profile.

[mikesmit]

picking up the first iteration of this. Looking first at what we do with the household API.

[mikesmit]

TLDR

I have a branch we can use to test auth. Currently the back end will not accept our tokens.

Probable next steps

1. Fix typo setting header to "Authentication" instead of "Authorization" (does not block testing. see below)
2. Follow this guide to define and configure the API for the SPA in auth0, but there are problems

• It explicitly recommends a flow for SPA that (When you click on the link) explicitly tells you not to use that flow for SPA.
• I don't think we want/need all the stuff it makes you set up, but the auth libraries seem to want it (unclear if it's impossible to avoid or just not clearly documented)
• I don't know what it costs to turn on the authorization extension (required by the above)

The current error

Ignoring the header type issue (which I fixed by fixing my curl command).

The immediate error is that the token has a header "alg" which is set to "dir" and the parser library for the token does not support that option. (I have directly confirmed this error via debug)

why is it set to 'dir'?
Based on this post here (I have not independently confirmed this is true) this is what the client library does unless you specify an "audience" (the API).

At least according to the SPA API Guide, doing that requires enabling the "Authorization extension" which we don't currently have and which provides a lot more functionality than we actually need or want.

What I have and how to try it

0. Download branch 2063_add_auth_to_api of the API.
1. Go to our website (either the public link or a local running instance)
2. navigate to the user profile with the debug window open
3. in the "network" tab of the browser debug find the request for the user-profile resource
4. right click and copy as "curl"
5. edit the curl as follows
   6. remove all the headers except Authentication
   7. rename "Authentication" to "Authorization"
   8. change the URL to your locally running API (http://localhost:5000/...)
6. Run the curl
7. to actually find the detailed root cause for errors I had to run in debug mode and trace errors. In vscode this launch worked for me:

{
    // Use IntelliSense to learn about possible attributes.
    // Hover to view descriptions of existing attributes.
    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
    "version": "0.2.0",
    "configurations": [
        {
            "name": "Python Debugger: Flask",
            "type": "debugpy",
            "request": "launch",
            "module": "flask",
            "env": {
                "FLASK_APP": "policyengine_api.api",
                "FLASK_DEBUG": "1"
            },
            "args": [
                "run",
                "--no-debugger",
                "--no-reload",
                "--without-threads"
            ],
            "jinja": true,
            "autoStartBrowser": false,
            "justMyCode": false
        }
    ]
}