Implement CORS in imbi-api

[dave-shawley]

I was experimenting with a react-based dashboard that I wanted to use the Imbi API in. When the JS HTTP client makes the CORS pre-flight request on /projects/123456, it receives an unauthorized error:

OPTIONS /projects/123456 HTTP/1.1
Host: imbi.aweber.io
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Accept: */*
Access-Control-Request-Method: GET
Access-Control-Request-Headers: private-token
Origin: http://localhost:3000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Sec-Fetch-Dest: empty
Referer: http://localhost:3000/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

HTTP/1.1 401 Unauthorized
Date: Thu, 13 Jan 2022 13:45:34 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
Server: imbi/0.14.1
Vary: Accept-Encoding
Strict-Transport-Security: max-age=15724800; includeSubDomains

I curl'd the endpoint including the private token and received a 405:

< HTTP/1.1 405 Method Not Allowed
< Date: Thu, 13 Jan 2022 13:48:12 GMT
< Content-Type: application/problem+json
< Content-Length: 152
< Connection: keep-alive
< Server: imbi/0.14.1
< Vary: Accept-Encoding
< Strict-Transport-Security: max-age=15724800; includeSubDomains
<
* Connection #0 to host imbi.aweber.io left intact
{"type": "https://imbi.aweber.io/#method-not-allowed", "status": 405, "title": "Method Not Allowed", "detail": "OPTIONS is not a supported HTTP method"}%

We probably shouldn't be requiring CORs pre-flights to be authorized requests though it does open the common questions of what the CORS policy should be.