fix: Incorrect Token, TokenBackend typing

[khvn26]

Closes #787.

This PR aims to fix typing for the user-facing parts of tokens.Token, backends.TokenBackend classes:

1. Added The RawToken type to replace the erroneous "Token" annotation.
2. Expanded the incoming raw token type assumption to bytes | str, given the JWT backends support both.

I also added annotations for importable settings.

[Andrew-Chen-Wang]

Thank you for the PR

[Andrew-Chen-Wang]

hm i wish there was a way to customize the typing based on the version of JWT.

Specifically, I wonder if we can import something consistent from PyJWT itself that represents the token. Using a union is also not entirely correct (better than what it was before for sure).

[khvn26]

Using a union is also not entirely correct

It is annotated as this exact union in the recent PyJWT versions.

FWIW, bytes | str is also technically supported since 1.7.1 despite the formal jwt: str annotation — see https://github.com/jpadilla/pyjwt/blob/b65e1ac6dc4d11801f3642eaab34ae6a54162c18/jwt/api_jws.py#L171-L177

[Andrew-Chen-Wang]

do both v1.7.1 and v2.x versions of JWT expect the token to be string? I can understand v2, but how about v1?

[khvn26]

1.7.1 does not implement a PyJWKClient, forcing self.jwks_client to always be None.

Annoyingly, 2.x PyJWKClient.get_signing_key_from_jwt has an incorrect annotation and can actually handle the union type as it wraps code referenced in my other comment. To avoid an extra decode call, I'd just cast it to str until the upstream issue is resolved.

[Andrew-Chen-Wang]

Fwiw, this makes sense to fix mypy. Thanks for fixing this + the investigation!

[Andrew-Chen-Wang]

TODO it seems like we don't have a mypy and pyright type checking step in the CI. It can be added in two ways:

• pre-commit
• separate CI pipeline with a matrix across Python versions (probably using tox is sufficient)

I think either approach is fine, though pre-commit seems easier. This doesn't need to be added to this PR