Use amsterdam-django-oidc for API authentication (#1497)

* Extend `mozilla_django_oidc.contrib.drf.OIDCAuthentication` to support `ALWAYS_OK` and set the correct realm

* Remove now unused code

* Raise approriate exception when user not found

* Add override decorator

* Replace tests

* Sync mypy baseline

Author: 4c0n

app/mypy-baseline.txt

@@ -6,6 +6,8 @@ signals/apps/signals/models/category.py:0: error: Definition of "refresh_from_db
 signals/apps/signals/models/reporter.py:0: error: Skipping analyzing "django_fsm": module is installed, but missing library stubs or py.typed marker  [import-untyped]
 signals/apps/signals/models/status_message.py:0: error: Need type annotation for "categories"  [var-annotated]
 signals/apps/email_integrations/admin.py:0: error: Skipping analyzing "markdownx.widgets": module is installed, but missing library stubs or py.typed marker  [import-untyped]
+signals/auth/backend.py:0: error: Skipping analyzing "mozilla_django_oidc.contrib.drf": module is installed, but missing library stubs or py.typed marker  [import-untyped]
+signals/auth/backend.py:0: error: Method "authenticate" is marked as an override, but no base method was found with this name  [misc]
 signals/apps/search/rest_framework/serializers.py:0: error: Skipping analyzing "elasticsearch_dsl.response": module is installed, but missing library stubs or py.typed marker  [import-untyped]
 signals/apps/search/documents/base.py:0: error: Skipping analyzing "elasticsearch_dsl": module is installed, but missing library stubs or py.typed marker  [import-untyped]
 signals/apps/reporting/utils.py:0: error: Skipping analyzing "storages.backends.azure_storage": module is installed, but missing library stubs or py.typed marker  [import-untyped]

app/signals/apps/users/tests/test_backend.py

@@ -1,63 +1,25 @@
 # SPDX-License-Identifier: MPL-2.0
-# Copyright (C) 2018 - 2023 Gemeente Amsterdam
+# Copyright (C) 2018 - 2025 Gemeente Amsterdam
+from typing import override
+
 from django.conf import settings
 from django.contrib.auth.models import User
-from django.core.cache import cache
-from rest_framework import exceptions
-from rest_framework.authentication import BaseAuthentication
+from mozilla_django_oidc.contrib.drf import OIDCAuthentication
+from rest_framework.exceptions import AuthenticationFailed
 from rest_framework.request import Request
 
-from .tokens import JWTAccessToken
-
-USER_NOT_AUTHORIZED = "User {} is not authorized"
-USER_DOES_NOT_EXIST = -1
-
 
-class JWTAuthBackend(BaseAuthentication):
-    """
-    Retrieve user from backend and cache the result
-    """
-    @staticmethod
-    def get_user(user_id: int) -> User:
-        # Now we know we have a Amsterdam municipal employee (may or may not be allowed acceess)
-        # or external user with access to the `signals` application, we retrieve the Django user.
-        user = cache.get(user_id)
-
-        if user == USER_DOES_NOT_EXIST:
-            raise exceptions.AuthenticationFailed(USER_NOT_AUTHORIZED.format(user_id))
-
-        # We hit the database max once per 5 minutes, and then cache the results.
-        if user is None:  # i.e. cache miss
-            try:
-                user = User.objects.get(username__iexact=user_id)  # insensitive match fixes log-in bug
-            except User.DoesNotExist:
-                cache.set(user_id, USER_DOES_NOT_EXIST, 5 * 60)
-                raise exceptions.AuthenticationFailed(USER_NOT_AUTHORIZED.format(user_id))
-            else:
-                cache.set(user_id, user, 5 * 60)
-
-        if not user.is_active:
-            raise exceptions.AuthenticationFailed('User inactive')
-        return user
+class JWTAuthBackend(OIDCAuthentication):
+    www_authenticate_realm = "signals"
 
+    @override
     def authenticate(self, request: Request) -> tuple[User, str]:
-        """
-        Authenticate. Check if required scope is present and get user_email from JWT token.
-        use ALWAYS_OK = True to skip token verification. Useful for local dev/testing
-        """
-        auth_header = request.META.get('HTTP_AUTHORIZATION')
-        _, user_id = JWTAccessToken.token_data(auth_header)
-        if user_id == "ALWAYS_OK":
-            user_id = settings.TEST_LOGIN
-
-        auth_user = JWTAuthBackend.get_user(user_id)
+        if settings.SIGNALS_AUTH.get("ALWAYS_OK", False):
+            try:
+                user = User.objects.get(username__iexact=settings.TEST_LOGIN)
+            except User.DoesNotExist as e:
+                raise AuthenticationFailed("User not found") from e
 
-        return auth_user, ''
+            return user, ""
 
-    def authenticate_header(self, request: Request) -> str:
-        """
-        Return a string to be used as the value of the `WWW-Authenticate`
-        header in a `401 Unauthenticated` response, or `None` if the
-        authentication scheme should return `403 Permission Denied` responses.
-        """
-        return 'Bearer realm="signals"'
+        return super().authenticate(request)