Ensure access tokens can only access specific allowed routes

[knolleary]

This removes verifyTokenOrSession as we want to be more deliberate and explicit over what routes can be accessed by a token, rather than a login session.

We have stories related to user-generated access tokens. When we come to them, we will need to carefully open it back up.

There are three sets of end points that need to be token-accessible:

• /api/v1/user - used as part of nr-auth to get a user's identify when logging into node-red editor
• /api/v1/teams/<teamid>/projects - used by Project Nodes to get a list of projects in the team. I've added logic to verify the token being used belongs to a project owned by the team it is accessing.
• /api/v1/devices/<device>/live/* - used by device agent

I have verified all of those routes behave themselves with this change.

[Steve-Mcl]

This PR looks far better than just checking the user is undefined

Question: when verifying using token, does the request.session.User get populated now or will it still be empty? I ask as I use its absence of the User property to limit the contents of the project listing in the API (Line 118 const limitResponse = ... in forge/routes/api/team.js)

[knolleary]

Tokens are not (currently) associated with a user. At that point in the code, request.session will be defined because it has passed through authentication, but request.session.User will not be defined because it is token based auth.

It would technically be more accurate to use as the check request.session.ownerType === 'project' as that is more explicit. I'll update the PR shortly.

[knolleary]

Change pushed. This is good for final review/merge.