Implement Bookshare OAuth Integration for Print Disability Qualification Flow

[Copilot]

This PR implements a complete OAuth integration with Bookshare that allows users with print disabilities to automatically qualify for special access on Open Library by connecting their Bookshare accounts during registration.

Overview

Previously, users who selected "BookShare" as their print disability authority had to go through a manual verification process via email. This implementation streamlines the qualification process by integrating directly with Bookshare's OAuth API to automatically verify eligibility.

Key Components

1. OAuth Client Implementation (openlibrary/core/auth.py)

• Complete OAuth 2.0 flow implementation with Bookshare API
• Authorization URL generation with CSRF protection via state parameter
• Secure token exchange and user information retrieval
• Eligibility verification based on Bookshare membership status and qualifications
• Comprehensive error handling and logging

2. Account Controllers (openlibrary/plugins/upstream/account.py)

• account_bookshare: Handles OAuth initiation and callback processing
• account_bookshare_complete: Manages OAuth completion for users who weren't logged in during callback
• Robust session management with fallbacks for environments without session support
• Seamless integration with existing print disability request status tracking

3. User Interface (openlibrary/templates/account/bookshare.html)

• Clean, accessible OAuth verification page with clear instructions
• Prominent "Connect with Bookshare" button for OAuth initiation
• Error handling with user-friendly messages
• Alternative flow for users without Bookshare accounts
• Responsive design with embedded CSS

4. Registration Flow Integration

• Modified account creation to set bookshare_oauth_pending cookie for BookShare users
• Updated login flow to redirect BookShare users to OAuth verification instead of email workflow
• Automatic transition from PDRequestStatus.REQUESTED to PDRequestStatus.FULFILLED upon successful OAuth verification

User Flow

1. User creates Open Library account and selects "BookShare" as their qualifying program
2. After email verification and login, user is automatically redirected to /account/bookshare
3. User clicks "Connect with Bookshare" and completes OAuth authorization on Bookshare.org
4. System exchanges authorization code for access token and retrieves user profile
5. If user has active Bookshare membership with print disability qualification, their OL account is automatically marked as fulfilled
6. User receives confirmation and gains immediate access to the print disability collection

Configuration

The integration requires Bookshare OAuth credentials to be added to olsystem.yml:

bookshare_oauth:
  client_id: "your_bookshare_client_id"
  client_secret: "your_bookshare_client_secret"
  base_url: "https://api.bookshare.org"
  redirect_uri: "https://openlibrary.org/account/bookshare"

Security Considerations

• OAuth state parameter prevents CSRF attacks
• Access tokens are not permanently stored
• All OAuth communications use HTTPS
• Session fallbacks handle environments without session support
• Comprehensive input validation and error handling

Benefits

• Instant qualification: No manual review needed for verified Bookshare users
• Improved accessibility: Streamlined process for users with print disabilities
• Reduced administrative burden: Automated verification reduces manual processing
• Enhanced security: OAuth provides secure account linking without password sharing

Fixes #11155.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.