Allow anonymous record upload directly to the warehouse

[kazlauskis]

An idea how this could be handled:

1. In the Warehouse add an anonymous website checkbox that could be enabled in the website's profile.
2. An app would use a Client Credentials grant to authenticate itself for anonymous use with a Drupal site. This generates a signed JWT token similar to the Password grant we currently use. The token wouldn’t have any user-related values like email or first/last names. Importantly, it would still be signed and have an expiry (exp) and issuer (iss) fields.
3. Warehouse accepts a sample/occurrence/media POST request with a JWT token.
   1. Checks that it hasn’t expired yet.
   2. Finds the website url in the iss field.
      1. Checks the website has a public key set
      2. Because the email in the JWT is missing it also checks that the website has anonymous use checkbox enabled.
   3. Processes the request
4. For anonymous records it rejects existing record modifications (PUT) or direct downloading (GET), only uploading (POST).
5. (optional for now) for anonymous tokens it allows public report use only.

[kazlauskis]

@johnvanbreda the BRC site migration has broken the current old app so we've got a bit of a rush to push the new update. Do you know when this task could be done?

[johnvanbreda]

I will look at this now @kazlauskis

[kazlauskis]

thanks

[johnvanbreda]

Done. There is now an "Allow anonymous JWT tokens to POST new records" option on the website ID page.

Note that if the user:id is missing from the claim, then the JWT behaves like a standard website authentication for reporting purposes so get's public report access.

[kazlauskis]

Excellent, I can see it now in the warehouse. I will give it a go this afternoon, cheers!