Support 2FA and any .netrc file

[LucHermitte]

This PR enables two things

Two-Factor authentication on CDSE

Current implementation was not compatible with accounts where 2FA is enabled. The related API is described on https://documentation.dataspace.copernicus.eu/APIs/Token.html

As I wasn't sure how to know whether the account requires 2FA, I didn't try to ask interactively for the 2FA token at the last moment.

Support .netrc stored in any location

I don't store my .netrc directly under $HOME, but elsewhere. I've introduced the same option as the one supported by curl: --netrc-file

I'd have loved to support encrypted .netrc -- which I use with git thanks to git-netrc-credential. Alas I'm afraid this will introduce an unwelcome dependency.

Note that this will also permit to support encrypted .netrc files out-of-the box thanks to:

eof -d 2023-12-09 --netrc-file <(gpg -d ~/.config/.netrc.gpg | grep -v protocol)

Finally

I haven't updated version number.

[scottstanie]

Very cool addition! I hadn't the use of encrypted .netrc files, looks widely useful. Give me a bit to test it out, but I think this looks nice

[LucHermitte]

I'm wondering whether sentineleof could also support authentication with an access_token already obtained. This way we could easily support batch operations where the call to sentineleof is just a part of a bigger processing. The problem is that the 2FA token is refreshed every 30s or so. If we launch a bigger process that downloads EOF files on the fly, we cannot wait between the moment the 2FA token is obtained and when it's used to request the access_token.

We could have a --cdse-access-token parameter that would by-pass calls to get_access_token.

I think it'd be better to do some refactoring like decoupling download_all() from login/password/netrcfile/2FA_token: instead it could receive the access_token instead.

Also it seems search operations don't need us to be authenticated.

[scottstanie]

Oh weird, somehow I didn't see the comment, maybe github didn't update it while I was approving

I'm wondering whether sentineleof could also support authentication with an access_token already obtained. This way we could easily support batch operations where the call to sentineleof is just a part of a bigger processing. The problem is that the 2FA token is refreshed every 30s or so. If we launch a bigger process that downloads EOF files on the fly, we cannot wait between the moment the 2FA token is obtained and when it's used to request the access_token.

We could have a --cdse-access-token parameter that would by-pass calls to get_access_token.

I think that sounds like a great idea.

I think it'd be better to do some refactoring like decoupling download_all() from login/password/netrcfile/2FA_token: instead it could receive the access_token instead.

Agreed that the design is poor right now. A change like that would improve things, as it shouldn't be hard to pass a token. The origin of the repo as "phd code that I just wanted nice for me" is creeping in

Also it seems search operations don't need us to be authenticated.

An even better reason to decouple the access token request

[LucHermitte]

OK. I'll look into it. I don't know how long the access_token stays valid. I'll have to check that first.