Add secrets to allow for anonymous auth.

[maxkfranz]

• HTTP requests to /db/* are handled with secrets middleware before being handed off to the HTTP proxy (to CouchDB).
• The secrets middleware forbids writes to the DB if the correct secret is not specified. If the middleware throws an exception due to an incorrect secret, the middleware passes next(err) to stop the progression to the proxy.
• Secrets are stored in the secrets DB in CouchDB.
• The secret is specified to PouchDB (and in HTTP requests) via the X-Secret HTTP header.
• The demo document always uses the ID demo and secret demo.
• Allow COUCHDB_USER and COUCHDB_PASSWORD to be set as environment variables for CouchDB server auth. This allows us to use CouchDB in non-admin-party mode, as in v3. If USE_COUCH_AUTH is unset or false, then server assumes CouchDB is in party mode (e.g. for local dev.)
• Updates README with new env vars.

[dotasek]

I did some testing and have noticed two issues:

1.

If I do a PUT statement via a REST client like Insomnia, I noticed that there was an error when the cytoscape-syncher tried to close the secrets database. This appears to be because the secrets database wasn't initialized. I added this to cytoscape-syncher to get it to work:

import { COUCHDB_URL } from '../server/env';
...
//line 81
this.secretsDb = new PouchDB(`${COUCHDB_URL}/secrets`);

2.

In the response JSON for creating a new network url and privateUrl don't resolve without alteration. Currently the return values are all of this format: http://localhost:3000/document/cyac5bb915-d70c-4f53-9deb-16824da9030e/secret. I normally expect them to contain the secret included in the response, like so: http://localhost:3000/document/cyac5bb915-d70c-4f53-9deb-16824da9030e/e4cd6eec-9885-4ba2-9e4b-a0bf4c5f7bdc

This is a simplified edit of a previous comment. The previous comment also discussed the editor, which was out of scope for this PR.

[maxkfranz]

I've pushed the two revisions re. POST /api/document.

Re. the editor: It's not going to show a read-only view until we add that. That would require a complete UI to create/import new networks . It would also require an editable flag in the editor to disable editing components: While you can't edit a document without the proper secret anyway, we wouldn't want to throw all those errors or give the impression that you can edit at a read-only link.

[maxkfranz]

I added basic read-only view support for our discussion later today

[maxkfranz]

@dotasek, @mikekucera, I've added the restriction we talked about on our call. Users can not access data in the DB outside of documents via /db/*