Save grade: use score/answer as auth

[smadbe]

Motivations

As shown in the token interaction with tasks, task interactions starts with getting a task token, and then may ask for an answer token or a hint request token, and then the task sends its score to the save grade service, either via a score token (signed by the task grader) or an answer token+score if the task has no server (so basically the score is given by the user himself).

As the task grader may send the score much later, he cannot use the API access token to call the service. Also it does necessarily have the task token.

Subtasks

For the POST /items/save-grade service:

• [x] do not require nor use the access token
• [x] remove the task token from input
• [x] so the input is either the answer token+score, or the score token... these have all the required information to run the service
• [x] make sure you fully validate the tokens, i.e. the signature (from either the task grader for score token, or from the backend if (and only if) the task platform has no keys) and that the date is either today or yesterday)
• [x] do not return the "task token" anymore as we do not use it in practice in the frontend (and the task grader should not get it)
• [x] Update service spec
• [x] Make sure you test both the cases where UserID = and != ParticipantId

[GeoffreyHuck]

There's a problem with the case with only the score_token: we need to know the local item_id to know which keys to use.

I see two options:

• Adding the item_id if there's only the score_token
• A bit dirty but it should work: get the item_id from the token, and verify the signature once we have it. I'm just not sure that we do that easily with the token system, so it might require some work.

[smadbe]

Why wouldn't the LocalItemId work? https://github.com/France-ioi/AlgoreaBackend/blob/master/app/payloads/score_token.go#L15

[GeoffreyHuck]

Actually I was talking about the LocalItemId already. After more thoughts, I think it's best to retrieve it from the token, and verify the signature after (option 2). It's weird given how the token system has been implemented (the payload is retrieved only after the signature was checked) but I think it makes sense.