Server auth / user management

[patrickhulce]

Server is currently unauthenticated, adding auth paves the way for UI and API calls that mutate and/or delete data

• add project-specific admin tokens (631ab01)
• delete projects route protected by admin token (0be8bdc)
• add admin token UI (feat(server): add project settings page for deletion #245)
• add project deletion UI (feat(server): add project settings page for deletion #245)
• add basic auth to server
• add basic auth to ApiClient and wizard/upload options

[patrickhulce]

Current plan here:

• Introduce a second "admin" token that is created at project creation, the admin token should never be exposed publicly in contrast to the current project token
• Require this admin token whenever data is going to be edited or deleted
• Add UI on the server side to enter your admin token that will be saved to localStorage and used for project administrative functions

Punt any more advanced multi-user management features.

[KartoffelToby]

@patrickhulce The current plan sound's good.

I have some proposals too:

• User Auth for the hole UI/API. If i'm right at this time it's only possible with htaccess or comparable
• admin Token for Add Projects via API/UI

[patrickhulce]

Thanks for the feedback @KartoffelToby!

User Auth for the hole UI/API. If i'm right at this time it's only possible with htaccess or comparable

Good suggestion 👍 we plan to accomplish this with Basic auth (updated the todo list with this)

admin Token for Add Projects via API/UI

Creating a new project has the same API-level permissions in our two-tiered model as other current requests i.e. no data is lost or destroyed. In this model, you can either allow untrusted users to create data or you don't. If you want to protect against untrusted users creating data then the server would need to use the Basic auth solution. Project creation UI itself is covered by #86.