kiwix oauth2 with ory.sh

[elfkuzco]

Rationale

This PR begins integration of Kiwix oauth2 authentication with ory.sh

Changes

• implement UI login flow for authentication with Kiwix with support for legacy API authentication
• fetch user scopes/roles from /me endpoint instead of storing the roles in tokens
• introspect opaque access tokens with ory.sh client and cache results to reduce API calls
• add new column (idp_sub) to users. This will the same as their sub from ory.sh

This closes #1509

[benoit74]

@elfkuzco is kinda blocked in testing this code by the fact that:

• ory.sh doesn't want to set CORS to localhost (see https://www.ory.com/docs/guides/cors)
• they recommend to use Ory Tunnel, but Ory Tunnel seems to need an API key ... which gives full access on the project ... not the kind of access we want to give to developers

I've posted a message on Ory Slack to get assistance, but it looks like we do not have any support besides documentation in our ory.sh plan.

[benoit74]

We could probably use our own tunneling service in fact.

I've configured "https://*loca.lt" (from https://localtunnel.me/) as redirect URL and CORS, let's me know if it does work (or not, but let's hope for the best)

[elfkuzco]

The local tunnel closes unexpectedly after some minutes and says tunnel error. I think ngrok is more reliable than them. I have been using their free tunneling and it works quite fine You could try: https://*ngrok-free.app

[codecov]

Codecov Report

❌ Patch coverage is 89.90826% with 11 lines in your changes missing coverage. Please review.
✅ Project coverage is 83.48%. Comparing base (37509ca) to head (ea8f991).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
...end/src/zimfarm_backend/api/routes/dependencies.py	72.72%	5 Missing and 1 partial ⚠️
backend/src/zimfarm_backend/api/token.py	93.87%	3 Missing ⚠️
backend/src/zimfarm_backend/db/user.py	85.71%	0 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1518      +/-   ##
==========================================
+ Coverage   83.38%   83.48%   +0.10%     
==========================================
  Files          91       91              
  Lines        4394     4470      +76     
  Branches      468      477       +9     
==========================================
+ Hits         3664     3732      +68     
- Misses        608      613       +5     
- Partials      122      125       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[benoit74]

@elfkuzco can you try to:

• not ask for a refresh token anymore on ory.sh
• not ask for the IDtoken (we don't use it, so removing 'openid' from scope should be fine)
• implement the silent authentication with silent iframe suggested in ory.sh - how to enable SSO + transparent token refresh in our SPAs kiwix/overview#134 (comment)
• add a configuration flag allowing to automatically create a new DB user with "no rights" (only viewer) whenever we get an authenticated user (from Kiwix) but no matching DB user