Full API code audit

[lonkaars]

A lot of the backend code is pretty spaghetti because it was sort of rushed in order to reach the deadline. Some authentication code is repeated, and socket.io event handlers don't all properly check for authentication. Here's how the authentication decorators should work after the audit (all of them will be defined in api/hierarchy.py)

@util_two_person
def endpoint(token_id: str | None, explicit_id: str | None)
# This decorator doesn't check for hierarchy constraints, but does
# make sure that token_id or explicit_id are valid user_id's

@auth_required(level: "none" | "user" | "mod" | "admin" | "bot") # these are already defined in api/hierarchy.py
def endpoint(user_id: str)
# This decorator only runs endpoint() if token_id from
# @util_two_person is not None and passes hierarchy constraints

@two_person
def endpoint(user_1_id: str, user_2_id: str)
# no authentication, just runs endpoint() if both token_id and
# explicit_id are present from @util_two_person.

If possible these decorators should also work for socket.io event handlers.

If the decorator finds that a token is invalid, or something else happens that doesn't allow the wrapped function to be ran, it should return an empty response along with one of the following http status codes:

• 400 should be used if the request has missing or malformed data
• 401 should be used if a token has expired or is invalid, or a user_id is invalid
• 403 should be used if all data is valid but the hierarchy constraints don't pass

As part of the API code audit, the documentation should also be updated and finished in api/readme.md, and another table for commonly used utility functions and decorators should also be created so it's easier to write new endpoints.

[lonkaars]

The code has been audited, and pretty much all endpoints, and even the socket.io event listeners are using decorators from api/hierarchy.py. I'll now start with updating and finishing the documentation.

[lonkaars]

I've updated the documentation in api/readme.md, and modified dprint.json to use space tabs in python even though I think spaces are hideous. I'll close this issue for now because I think the api code is safe enough right now, though I will be writing unit tests soon.