Add Authentication to Harvest Admin to secure REST endpoints

[btylerburton]

User Story

In order to ensure that our application is secure, datagovteam wants to add an authentication mechanism to sensitive API endpoints.

This can be as simple as a shared password, or as robust as a JWT token provisioning system that leverages current db users.

Acceptance Criteria

[ACs should be clearly demoable/verifiable whenever possible. Try specifying them using BDD.]

• [ ] GIVEN I have a sensitive application endpoint (ex. one that can alter DB data) AND I want to be able to access it with a REST client THEN I want a system in place to protect that endpoint from unauthorized use

Background

Login.gov is enabled for user interactions in the browser, but Login.gov does not support authentication via API. To ensure that sensitive endpoints which can alter the DB are secure, datagovteam would like to add an authentication method to those endpoints.

Security Considerations (required)

[Any security concerns that might be implicated in the change. "None" is OK, just be explicit here!]

The application endpoints in question are currently locked down behind a cloud.gov login. Opening these up should be predicated on ensuring the same level of application/db security.

Sketch

• [ ] determine best fit authentication method
• [ ] implement that in the application
• [ ] ensure that all non-GET endpoints intended for use by a REST client are protected

[btylerburton]

Validate current routes and check if this is needed with current offerings