Security: Need to issue tokens on first-use, and require on subsequent-use

[airjukebox]

At the moment there is no authorization or access control over incoming requests to the airjukebox server API.

This is fine for development purposes, but once in the wild the service would quickly be abused by DoS / spam / manipulation attempts based on the lack of any security controls.

Without requiring explicit authentication, one option is the following:

• On first access to the API - perhaps only via the 'root' service URL ('/'), a GUID token is issued to the calling client
• Subsequent API calls all require this GUID to be passed, and for there to be a record in the system indicating that this is a known user
• All API calls should be made over HTTPS
• Mobile clients may optionally keep the same GUID over time, if there is to be any personalization functionality in future (unknown)

Without HTTPS, sniffing of outgoing requests from wireless access points would be pretty trivial, hence the requirement there.

This approach might need some scrutiny from someone with a bit of client-server security expertise.

[airjukebox]

NB: It is also important that only one device at a time is able to play (consume and mark items as finished) from a particular channel. Otherwise odd situations may occur where other devices remove items from the playlist, forcing other devices to skip, and so forth..

It may still be possible to reach the 'holy grail' of having multiple simultaneous playback devices, but only one must consume/remove items from the queue