Implement basic authentication for HTTP server

[sle118]

Basic authentication is going to be needed if we want to allow OTA updates and avoid unwanted software being injected. Here are some points to consider

• Default access point name is "squeezelite-9999" where 9999 is derived from the cpu's eFuse MAC
• Default user and password to something as simple as admin/admin-9999 where 9999 are the same letters as the ones for the access point name. This makes it easy to know what the password of the device is on the initial configuration
• During initial configuration, user must change the defaults before they can configure WiFi
• No need for multi user; this would add complexity and bring low value
• User need to change BOTH the user name and the password

A typical basic auth mechanism would work like this:

1. Upon boot, the ESP32 generates a token (e.g. a guid for example)
2. User name/passwords are passed to a new "/login" handler in the http server code
3. The handler checks the user name/password against a nvs variable
4. If user name/password validation is successful, the ESP32 sends the auth token back as a response through headers (no body needed) with something like "Cookie", "access_token=generated_token"
5. On every subsequent call, the http server validates the token against the known token
6. From there, an expiry mechanism should likely invalidate the token and generate a new one. For example, every time a request is made with a given token, an expiry counter resets. When a request is made and the token's expiry was reached, a new token is created and the client app goes back to the login screen.

Any improvement or suggestion is welcomed.

[daduke]

does http_server support https? If not, the pw will go over the air in plain text and we can save us the hassle

[sle118]

WiFi on initial config is encrypted. Not perfect, but not quite clear text.