feat: validate auth header in session request if provided

[theborakompanioni]

Closes #1244.

Before this PR, the /session endpoint ignores a potentially provided token in the Authorization header.
After this PR, the /session endpoint validates a token provided in the Authorization header and will respond with 401 Unauthorized if the token is invalid.

See #1244 on why this might be beneficial for API users. Summary: It seems like a good alternative to polling an authenticated endpoint and a less error-prone solution than relying on websocket server closes.

[theborakompanioni]

I guess the tests failing in python3.7 has nothing to do with the changes in the PR.

[AdamISZ]

@theborakompanioni ignore that CI test fail, it's a known bug that randomly we can get that relay fee failure.

[AdamISZ]

Yeah :) So, utACK for now, looks correct.

[theborakompanioni]

Tested successfully with joinmarket-webui/jam#223 in case you are wondering. Wanted to write tests but the first few attempts failed. I cannot get my local environment to execute the tests successfully : /

Using python3.10 here - downgrading to python3.9 heavily messes up my system. : /

PS: New to python in general. Hopefully not introducing bugs with so little code.

[AdamISZ]

No worries. Feel free to write down any details of what's going wrong here, if you like. Not only that we can help you but also your experiences might tell us things, especially about 3.10, I'm personally always running 3.8 still and there may be important things to address there.

[kristapsk]

Python 3.10 should work, such tests pass in #1218 (failure with insufficient fee there is known issue happening from time to time, not related to Python versions).

[theborakompanioni]

Updated API docs as well. Hope the optional security spec is working (it should be, according to OAI/OpenAPI-Specification#14)

No worries. Feel free to write down any details of what's going wrong here, if you like. Not only that we can help you but also your experiences might tell us things, especially about 3.10, I'm personally always running 3.8 still and there may be important things to address there.

I will revisit this at a later point and hopefully can provide useful insights. 🙏

[AdamISZ]

Added four checks of /session with a valid token, an invalid token and no token into the existing test flow. I think it does what we want. Once you're happy with this we can merge @theborakompanioni

[theborakompanioni]

Added four checks of /session with a valid token, an invalid token and no token into the existing test flow. I think it does what we want.

Thank you, Adam. Great additions. I will strive for all future changes to include tests so you don't have too much additional work on your plate.

Once you're happy with this we can merge @theborakompanioni

Very happy 🙏