Setup Authorization logic

[briri]

Once the authentication logic is working, we need to incorporate authorization logic.

See: https://www.apollographql.com/docs/apollo-server/security/authentication

We will need several levels:

• [ ] Update the DMP ID schema to mask/exclude user emails unless the User is authenticated and an admin for one of the affiliations
• [ ] Update the DMP ID schema to exclude the narrative download URL for non-public DMP IDs
• [ ] Add logic that applies the following for DMP ID access
  • [ ] Public plans are queryable by all (authentic or not)
  • [ ] Public plans cannot be mutated unless the User is authenticated and either a contact/contributor OR is an admin for one of the affiliations
  • [ ] Private plans are not queryable/mutable unless the User is authenticated and either a contact/contributor OR is an admin for one of the affiliations

We should also:

• [ ] Extract the DMP ID model from the resolver so that they are in separate files

Additional logic will need to be added as we add new parts to the system (e.g. guidance groups, templates, etc.)

[briri]

• Enable CORS in Apollo to restrict domain access
• We will use JWT for user auth. Apollo server generates upon login, nextJS passes JWT to Apollo on each call.
• Apollo server provides auth/token endpoints. User creation/editing done through normal GraphQL calls
• Do we envision a need for Sessions? Is there data that the frontend should persist? If so, is a shared Redis (or similar) cache a suitable store?