Support password-protected releasenotes pages

[stevejalim]

In very rare situations, usually related to security- or business-critical or situations we should be able to password-protect the release-notes pages on mozilla.org (DEV and STAGE)

By default, this should be off.

Ideally there would be a field on the Release admin UI to add a password and to enable its use.

When releases reach production, they should not use password protection even if one is still configured

[stevejalim]

@pascalchevrel No rush to reply, but does the description above cover everything we discussed?

[pascalchevrel]

LGTM

[stevejalim]

Notes to self: The data store between Nucleus and Bedrock is public, so any password would need to be encrypted with a shared secret

[stevejalim]

@pascalchevrel Talking about this with the team and balancing the complexity of getting an encrypted password set in Nucleus into Bedrock via release-notes (and with mixed benefits, given the release-notes repo is public anyway), I have a lower-fidelity suggeestion:

• A checkbox on the release: Password protect this release on Mozorg Dev and Mozorg Stage
• A known username + password pair that applies to all password-protected release pages, which is not configurable (but can of course be rotated/changed if compromised).
• If a Release is marked as password protected, we use HTTP Basic Auth to request that username + password.

We think this would still add enough value, while being significantly simpler to implement. Would it be OK by you/your team?

[pascalchevrel]

basic auth is fine for me (that's what we were doing for release notes on mozilla-europe.org 15 years ago :) )