Validation of API input params

[bakert]

Some stuff that needs to happen here:

• [ ] Issues with what you sent us need to return 400 Bad Request and a JSON body not a 500/html body
• [ ] ASC and DESC should be an enum and we should 400 exception when they don't vivify, not the current strings and assert behavior in clauses.{foo}_order_by funcs
• [ ] The various dicts in the various query.foo_order_by funcs should be enums and we should vivify and handle exceptions as 400s when receiving api calls
• [ ] We do this ludicrous casting to str in foo_order_by funcs when we know they have a value but why do we need to do that? remove it? is it for mypy in some way?

[bakert]

If you send us a sql injection attempt in (say) personId or seasonId with an achievementKey when calling /api/decks we will 500 instead of 400 fix that in a general way

[bakert]

this pattern - int(args.get('person_id', '')) - which wILL raise, is so ugly in clauses