trellis integration test: client authorization using real JWT

[jmartin-sul]

(as distinct from authentication as described in #73)

formalize into JS specs some of the operations described in this section of the wiki: https://github.com/LD4P/sinopia_server/wiki/Draft-Notes-for-Sinopia-Server-API-Spec#create-a-new-group-add-two-profiles-and-assign-group-level--profile-level-permissions

specifically, something like this part:

a default Profiles container permissions that lets 3 users edit profiles within and add profiles to the Profiles container, and another that only lets 1 user edit a specific profile within the Profiles container. ... Now let's assign two sets of permissions: a default Profiles container permissions that lets 3 users edit profiles within and add profiles to the Profiles container, and another that only lets 1 user edit a specific profile within the Profiles container. ... Now if someone other than user suntzu tries to update the Monograph profile, it will throw an error: ...

then confirm that

• 2xx HTTP responses are received as expected
• 403 forbidden responses are received as expected

[jmartin-sul]

easier to do once the tests have authentication working (#77)

[ndushay]

@jmartin-sul this ticket is no longer blocked. Should be be in M3 or M4 or just stay in backlog?

[jmartin-sul]

@ndushay, i think it could be any of those. i'd defer to @jermnelson for prioritization.

i think it does fit with the "user login" theme of M3. but i also don't know that it blocks completion of M3. i would be slightly hesitant to not do it at all in this work cycle, since authZ is important and should get tested, but i don't think it's super urgent.