[WIP] implement oauth fix to not accept tokens from any issuer

.gitignore

@@ -1,6 +1,12 @@
 # IDE's
 .idea
 
+# Security - Secrets and credentials
+.secrets.toml
+.env
+*.key
+*.pem
+
 # Custom ignored files
 *.uuid
 

.secrets.toml.example

@@ -0,0 +1,41 @@
+# Secrets Configuration Template
+# Copy this file to .secrets.toml and configure your values
+# WARNING: .secrets.toml should not be committed to version control
+# IMPORTANT: .secrets.toml is already in .gitignore
+
+[default]
+# Database Configuration
+# Format: mongodb://username:password@host:port/database?options
+db.mongodb_uri = "mongodb://username:password@localhost:27017/tesp_db?authSource=admin"
+
+# OAuth2 Configuration
+# Enable OAuth2 authentication
+oauth.enable = true
+
+# List of trusted OAuth2 identity providers
+# Tokens from these issuers will be accepted. All others will be rejected.
+# Example for Keycloak:
+oauth.allowed_issuers = [
+  "https://auth.yourdomain.com/realms/your-realm"
+]
+
+# Example for Google (if using Google OAuth):
+# oauth.allowed_issuers = [
+#   "https://accounts.google.com"
+# ]
+
+# Required audience for tokens
+# This should match the 'aud' claim in your OAuth2 tokens
+# For Keycloak, this is typically the client ID of your application
+oauth.required_audience = "tesp-api-client"
+
+# Cache JWKS (JSON Web Key Set) for this many seconds (default: 300)
+# Reduces HTTP requests to identity provider
+oauth.cache_jwks_ttl = 300
+
+# Basic Authentication Configuration
+# Basic auth is simpler but less secure than OAuth2
+# Only use for development or simple deployments
+basic_auth.enable = false
+basic_auth.username = "admin"
+basic_auth.password = "use-strong-password-here"

README.md

@@ -133,11 +133,15 @@ instead of starting the project locally without `docker`. In that case only thos
 | ftp server     |    -     | _no real recommendation here. docker-compose uses [ftpserver](https://github.com/fclairamb/ftpserver) so local alternative should support same fpt commands_. |  
 
 ### Configuring TESP API
-`TESP API` uses [dynaconf](https://www.dynaconf.com/) for its configuration. Configuration is currently set up by using
-[./settings.toml](https://github.com/CESNET/tesp-api/blob/main/settings.toml) file. This file declares sections which represent different environments for `TESP API`. Default section
-is currently used for local development without `docker`. Also, all the properties from default section are propagated
-to other sections as well unless they are overridden in the specific section itself. So for example if following `settings.toml`
-file is used
+`TESP API` uses [dynaconf](https://www.dynaconf.com/) for its configuration. Configuration is primarily set up by using
+[./settings.toml](https://github.com/CESNET/tesp-api/blob/main/settings.toml) file for non-secret values, and
+[./.secrets.toml](https://github.com/CESNET/tesp-api/blob/main/.secrets.toml.example) (local, not tracked) for sensitive
+credentials.
+
+Configuration sections represent different environments for `TESP API`. The `default` section is used as base configuration
+that propagates to all other sections unless overridden.
+
+Example configuration:
 ```
 [default]
 db.mongodb_uri = "mongodb://localhost:27017"
@@ -146,12 +150,49 @@ logging.level = "DEBUG"
 [dev-docker]
 db.mongodb_uri = "mongodb://tesp-db:27017"
 ```
-then dev-docker environment will use property `logging.level = DEBUG` as well, while property `db.mongodb_uri`
-gets overridden to url of mongodb in the docker environment. `dev-docker` section in current [./settings.toml](https://github.com/CESNET/tesp-api/blob/main/settings.toml)
-file is set up to support [./docker-compose.yaml](https://github.com/CESNET/tesp-api/blob/main/docker-compose.yaml) for development infrastructure.  
-To apply different environment (i.e. to switch which section will be picked by `TESP API`) environment variable
-`FASTAPI_PROFILE` must be set to the concrete name of such section (e.g. `FASTAPI_PROFILE=dev-docker` which can be seen
-in the [./docker/tesp_api/Dockerfile](https://github.com/CESNET/tesp-api/blob/main/docker/tesp_api/Dockerfile))  
+
+To apply a different environment (switch which section will be used by `TESP API`), set the environment variable
+`FASTAPI_PROFILE` to the section name (e.g., `FASTAPI_PROFILE=dev-docker`).
+
+#### Authentication Configuration
+
+TESP API supports OAuth2 (recommended) and Basic Authentication. By default, authentication is disabled.
+
+**OAuth2 Configuration (Recommended for Production):**
+
+Create or update `.secrets.toml` with your OAuth2 settings:
+
+```toml
+[default]
+oauth.enable = true
+
+# List of trusted identity providers (REQUIRED for security)
+oauth.allowed_issuers = [
+  "https://auth.yourdomain.com/realms/your-realm"
+]
+
+# Required audience (should match your OAuth2 client_id)
+oauth.required_audience = "tesp-api-client"
+
+# Cache JWKS for this many seconds (reduces HTTP requests)
+oauth.cache_jwks_ttl = 300
+```
+
+**Important Security Notes:**
+- You must configure `oauth.allowed_issuers` when enabling OAuth2. Tokens from unauthorized issuers will be rejected.
+- The audience verification should be enabled and match your OAuth2 client configuration.
+- See [`.secrets.toml.example`](https://github.com/CESNET/tesp-api/blob/main/.secrets.toml.example) for a complete template.
+
+**Basic Authentication (For Development Only):**
+
+```toml
+[default]
+basic_auth.enable = true
+basic_auth.username = "your-username"
+basic_auth.password = "your-strong-password"
+```
+
+**Warning:** Basic authentication credentials should never be committed to version control. Always use `.secrets.toml` for secrets.  
 
 ### Configuring required services
 You can have a look at [./docker-compose.yaml](https://github.com/CESNET/tesp-api/blob/main/docker-compose.yaml) to see how

requirements.txt

@@ -0,0 +1,25 @@
+# TESP API Python Dependencies
+# Python 3.10.0 or higher required
+
+# Core dependencies
+aio_pika>=9.5.7,<10.0.0
+fastapi>=0.75.1,<0.76.0
+orjson>=3.6.8,<4.0.0
+gunicorn>=20.1.0,<21.0.0
+uvicorn>=0.17.6,<0.18.0
+pydantic>=1.9.0,<2.0.0
+dynaconf>=3.1.8,<4.0.0
+motor>=3.0.0,<4.0.0
+loguru>=0.6.0,<1.0.0
+aiohttp>=3.13.3,<4.0.0
+aioftp>=0.21.0,<1.0.0
+PyMonad>=2.4.0,<3.0.0
+aiobotocore>=2.4.2,<3.0.0
+requests>=2.28.2,<3.0.0
+
+# OAuth2/JWT dependencies with crypto extras
+pyjwt>=2.8.0,<3.0.0
+cryptography>=41.0.5,<42.0.0
+
+# Development dependencies
+pytest>=7.1.1,<8.0.0

settings.toml

@@ -9,9 +9,16 @@ logging.level = "DEBUG"
 logging.output_json = false
 
 oauth.enable = false
+# OAuth2 Configuration
+# IMPORTANT: Only tokens from these issuers will be accepted
+# At least one issuer must be configured when oauth.enable = true
+oauth.allowed_issuers = []
+oauth.required_audience = "tesp-api"
+oauth.cache_jwks_ttl = 300  # Cache JWKS for 5 minutes (in seconds)
+
 basic_auth.enable = false
-basic_auth.username = "user"
-basic_auth.password = "password"
+basic_auth.username = ""
+basic_auth.password = ""
 
 [dev-docker]
 db.mongodb_uri = "mongodb://tesp-db:27017"