Long tokens

[dianagudu]

Meant as a (first try) fix for #33.

TL;DR For long access tokens, hash AT and use hash as an SSH password instead of AT. Maintain a mapping between hash and AT in motley_cue, to be able to retrieve all information about the user from hash at all times.

How it works in more detail:

• add an endpoint /user/generate_otp that triggers the generation of a one-time password (OTP):
  • OTP of fixed length (128 chars) is obtained by hashing AT => can be done independently on client side
  • OTP - AT mapping is stored in a local database
  • response from this endpoint contains whether OTPs are supported, and whether the generation was successful, e.g.:

    {
    "supported": True,
    "successful": True
    }

• motley_cue maintains a lightweight database for mapping OTP to AT
  • DB is encrypted
  • uses file db (sqlite/sqlitedict) s.t. no additional DB server has to be maintained
• when /verify_user is called with an OTP as bearer token
  • OTP is replaced with corresponding AT from database
  • mapping is removed from database (one-time behaviour)
  • /verify_user with AT will still work normally as before
  • reason: /verify_user is always called by PAM with token provided to SSH as password
• mccli will have to provide OTP when prompted instead of AT

TODO: decide on backend to use based on performance & security differences between sqlite and sqlitedict (no real need to offer this option to admins).