Fix authentication for Seafile 11 by replacing Bearer tokens with Sea…

[hjroundi]

Fix authentication for Seafile 11 by replacing Bearer tokens with Seafile API token

Seafile 11 no longer accepts external OIDC Bearer tokens (this was supported in
Seafile 8 through a custom EBRAINS middleware that has now been removed).
The API now requires a Seafile-specific API token generated via
/api2/account/token/.

This commit adds the OIDC → Seafile token exchange and updates all API requests
to use Authorization: Token <seafile_token> instead of the previous Bearer
token.
This ensures compatibility with Seafile 11 and restores authenticated access.

[apdavison]

looks good to me

[xgui3783]

LGTM

[xgui3783]

@apdavison I don't believe I can create tags.

Can you create tag 0.6.2 , and trigger a pypi release?

[apdavison]

I think I approved this too soon. The CI tests are failing, and the unit tests also fail locally. I'll look into it further.

[amdev74]

I don't understand how this could help users ?

To obtain a seafile token, you need a Bearer token, users in seafile doesn't have password, it's all through OIDC or OAuth2.

How the OIDC token is exchanged for Seafile token ?

[hjroundi]

You're absolutely right that Seafile users do not have passwords and that authentication must happen through OIDC/OAuth2.
The point of this PR is not to replace OIDC authentication for end-users, but to provide a temporary client-side fallback because Seafile 11 no longer accepts EBRAINS Bearer tokens directly at the API layer.

In Seafile 8, the EBRAINS-specific middleware allowed:

Authorization: Bearer <EBRAINS OIDC token>

In Seafile 11, this custom middleware is no longer active, so the API rejects EBRAINS Bearer tokens.
That is why API calls from notebooks, scripts, or the drive Python client all fail with 401 Invalid token.

So, what this PR actually does ? It implements a client-side token exchange, where:

The caller still provides an EBRAINS OIDC Bearer token.

The library calls /api2/account/token/, the endpoint returns a Seafile API token.

All subsequent API calls use:

Authorization: Token <seafile_token>

This does not change how users authenticate.
It only allows the client library to keep working until the EBRAINS middleware is properly reinstated on the server side.

With this token exchange, the library can continue to function even if the server no longer accepts OIDC Bearer tokens directly.

Once the EBRAINS OIDC token will be accepted on Seafile 11, the token exchange layer can be removed again.

So the PR should be a temporary fix, not the long-term solution. I was not cery clear on my PR comment, sorry for that.