feat(auth): Optional IA auth plugin — allow patron borrow via IA S3 credentials

[mekarpeles]

Summary

Add an optional "IA auth" plugin that allows a logged-out patron to borrow a book by providing their Internet Archive S3 credentials as an Authorization: LOW <access>:<secret> HTTP header. When valid, Lenny creates the loan record and sets a session cookie — skipping the OTP flow entirely.

This is useful for Internet Archive Labs' official Lenny instance where patrons are expected to have IA accounts.

How It Works

1. Patron sends Authorization: LOW <access>:<secret> header to POST /v1/api/items/{id}/borrow
2. Lenny (if IA_AUTH_ENABLED=true) validates the S3 keys against archive.org/services/xauthn/?op=s3auth
3. Extracts the patron's IA screenname as their identifier
4. Creates a loan record in the Lenny database
5. Sets a signed session cookie for the patron
6. Returns the normal borrow response

Configuration

New env var (opt-in, default false):

IA_AUTH_ENABLED=true

Only Lenny instances that explicitly enable this plugin will use it. The OTP flow remains unchanged for all other instances.

Files to Change

• lenny/configs/__init__.py — add IA_AUTH_ENABLED config var
• lenny/core/auth.py — add verify_ia_s3_keys(access, secret) -> Optional[str] function that validates via archive.org/services/xauthn/?op=s3auth
• lenny/routes/api.py — in borrow_item(), check for IA S3 auth before the session cookie check when IA_AUTH_ENABLED is set

Companion Issue

• internetarchive/openlibrary#12840 — OL side: require valid IA S3 keys on OTP service endpoints

References

• TheBestBookOn.com IA auth example
• Lenny already stores OL_S3_ACCESS_KEY / OL_S3_SECRET_KEY for admin-side OL auth; patron auth is a parallel but separate concept

[mekarpeles]

PR opened: #184

[ronibhakta1]

Lets not merge this PR. We will merge it in next upcoming PR which has other major refactor which takes care of this PR there and works wothout any issue.