[server] Allow to add and remove user tokens

[jjmerchante]

This pull requests includes a new model named Credential that allows users to add tokens for every data source. There new methods and GraphQL mutation to add, remove or delete data source credentials.

Each user can only use its own tokens.

This PR also removes apiToken parameter from fetchGitHubOwnerRepos and select a user token (if exists) for that job.

Include also an Authorization header with the Bestiary JWT Token for each call from the UI.

Fixes https://github.com/chaoss/grimoirelab-bestiary/issues/94

[evamillan]

I've tested it from the frontend and the queries and mutations work, but I get different errors from the one on the test_authentication tests when I'm not logged in. In the addCredentials mutation, the error message is Cannot assign \"<SimpleLazyObject: <django.contrib.auth.models.AnonymousUser object at 0x7f6d446842e0>>\": \"Credential.user\" must be a \"User\" instance. and in the credentials query instead of an error it returns { "data": { "credentials": { "entities": null } } }

[evamillan]

One more thing, I think the tokens are not encrypted on the database, they should be obfuscated in some way.

[jjmerchante]

I've tested it from the frontend and the queries and mutations work, but I get different errors from the one on the test_authentication tests when I'm not logged in. In the addCredentials mutation, the error message ...

Thank you, I didn't notice what happens when the GraphQL API is called with a non-authenticated user. When it request a list of repositories I changed it to an empty list, do you prefer an error? I am not sure what is the best UX scenario. For the error when a non-authenticated user adds a new credential I changed the error text.

One more thing, I think the tokens are not encrypted on the database, they should be obfuscated in some way.

I need to think a bit about this part, maybe include a key in the settings to encrypt/decrypt the value of the token.

[evamillan]

When it request a list of repositories I changed it to an empty list, do you prefer an error? I am not sure what is the best UX scenario.

It can work either way on the UI since it will only be accessible to users that are logged in, but it could be helpful to return an error in case someone wants to use the GraphQL API without the interface.

[jjmerchante]

I made the following changes:

• When a user is not authenticated, it now returns an error when requesting their tokens.
• Credentials now must have a name.
• Tokens are now encrypted in the database using the Django SECRET_KEY.