[REF] Manually verify ID token using PyJWT instead of google_auth

[alyssadai]

• Closes Switch to manual JWT verification of ID token from IdP #138
• Related to [REF] Manually verify ID token using PyJWT instead of google_auth api#386

Changes proposed in this pull request:

• Switch to using PyJWT library to 'manually' verify ID tokens based on provided IdP public keys, issuers, etc.
• Switch to Auth0 as IdP
• Minor refactoring of token handling utilities for clearer testing

Checklist

This section is for the PR reviewer

• PR has an interpretable title with a prefix ([ENH], [FIX], [REF], [TST], [CI], [MNT], [INF], [MODEL], [DOC]) (see our Contributing Guidelines for more info)
• PR has a label for the release changelog or skip-release (to be applied by maintainers only)
• PR links to GitHub issue with mention Closes #XXXX
• Tests pass
• Checks pass

For new features:

• Tests have been added

For bug fixes:

• There is at least one test that would fail under the original bug conditions.

Summary by Sourcery

Replace the Google authentication library with PyJWT for manual ID token verification, enhancing the security module. Update the project dependencies to include PyJWT and cryptography.

Enhancements:

• Replace google_auth with PyJWT for manual ID token verification.

Build:

• Add PyJWT and cryptography to the project dependencies.

Summary by Sourcery

Switch to using PyJWT for manual ID token verification, replacing the google_auth library, and update dependencies to include PyJWT and cryptography.

Enhancements:

• Replace google_auth with PyJWT for manual ID token verification.

Build:

• Add PyJWT and cryptography to the project dependencies.

[sourcery-ai]

Reviewer's Guide by Sourcery

This PR replaces Google authentication with PyJWT for ID token verification, transitioning from Google Auth to Auth0 as the identity provider. The implementation involves manual verification of ID tokens using PyJWT library, which provides more direct control over the token verification process. The changes primarily affect the security module, with updates to token verification logic, test cases, and dependencies.

Sequence diagram for ID token verification process

sequenceDiagram
    participant Client
    participant Server
    participant Auth0
    Client->>Server: Send request with ID token
    Server->>Auth0: Fetch public keys from JWKS endpoint
    Auth0-->>Server: Return public keys
    Server->>Server: Extract token from authorization header
    Server->>Server: Verify token using PyJWT
    Server-->>Client: Return response based on token validity

Loading

Updated class diagram for security module

classDiagram
    class Security {
        +check_client_id()
        +extract_token(token: str) str
        +verify_token(token: str) str
    }
    class PyJWKClient {
        +get_signing_key_from_jwt(jwt: str)
    }
    class PyJWTError
    Security --> PyJWKClient
    Security --> PyJWTError

Loading

File-Level Changes

Change	Details	Files
Replace Google Auth with PyJWT for token verification	Add new token verification using PyJWT with Auth0 JWKS endpoint Split token verification into separate extract and verify functions Update token verification parameters including audience and issuer claims Remove Google-specific authentication code	app/api/security.py
Update authentication configuration and dependencies	Change authorization URL to Auth0 endpoint Add PyJWT and cryptography to project dependencies Remove google-auth dependency	app/api/routers/query.py requirements.txt
Refactor test suite for new authentication system	Update test fixtures to use new verification function names Remove Google-specific token verification test cases Simplify token extraction test	tests/test_security.py tests/conftest.py tests/test_query.py

Assessment against linked issues

Issue	Objective	Addressed	Explanation
#138	Replace Google authentication with PyJWT for manual JWT verification	✅
#138	Switch to a different IdP (Identity Provider)	✅
#138	Remove google_auth dependency	✅

Possibly linked issues

• #385: The PR implements manual JWT verification using PyJWT, addressing the issue's requirements.
• #385: The PR addresses the issue by changing ID token verification from google_auth to PyJWT.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 97.17%. Comparing base (cf6faaa) to head (cd12d69).
Report is 3 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #139      +/-   ##
==========================================
+ Coverage   97.13%   97.17%   +0.04%     
==========================================
  Files          23       23              
  Lines         697      707      +10     
==========================================
+ Hits          677      687      +10     
  Misses         20       20              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[sourcery-ai]

Hey @alyssadai - I've reviewed your changes and they look great!

Here's what I looked at during the review

• 🟡 General issues: 2 issues found
• 🟡 Security: 1 issue found
• 🟡 Testing: 3 issues found
• 🟡 Complexity: 1 issue found
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[surchs]

This looks good @alyssadai, thanks a lot! Two points:

1. Unless I missed it, we don't seem to have a "happy path" test for token validation. I.e. "I provide a valid token and don't get an error from the validation function". I think it'd be good to add such a test by mocking out the 3rd party pyJWT validation method, just to make sure that our code is happy if pyJWT is happy
2. mildly in favour of the caching idea the bot suggests. But I belive that cache wouldn't carry over to our tests. Not sure if we want our tests to fail if the network requests for the certificates fail.

Take a look, and 🧑‍🍳

[surchs]

neurobagel/query-tool#380 is merged, @alyssadai you can merge this too

[neurobagel-bot]

🚀 PR was released in v0.4.3 🚀