Fixing authentication

[HeloiseS]

TODO

• What options do we have? [Jack]
• What are we protecting against? [Ken & Me]
• Existing accounts system?
• Who will need access?

[jackleland]

Made pull request to limit permissions on writing to the database through endpoints with just a token (https://github.com/genghisken/psat-server-web/pull/29).

A couple of things to note:

1. Tokens can seemingly be obtained through the api/auth-token/ endpoint with a username and password, and once granted are currently eternal - we probably want to restrict this but it requires changing the model/migrating the database
2. By my testing, tokens do not seem to make it to the server when passed through the Authorization header in the http request (as per https://github.com/HeloiseS/atlasapiclient/blob/a97ac097670a867bb3aba4645427f50e2f587571/atlasapiclient/client.py#L64), they have to be passed in as a query parameter. Is there a reason for this? I think ideally you would not have to pass your access token as a query param!

Do we want to update this client to ask for username and password if a token is not provided?

[jackleland]

token expiry hierarchy: vra (admin) -> doesn't expire OxQUB & friends -> expire after 1 year strangers -> 1 week

[jackleland]

Addressed, pending proper migration implementation, as of https://github.com/genghisken/psat-server-web/pull/30