[core] Implement bearer token authentication

[em92]

This will allow to write actions, that should be authorized only by instance admin.

For example in my WIP InstagramBridge modifications there 2 actions, that use this feature.

https://github.com/em92/rss-bridge/blob/instagram-rabbitmq/actions/SetBridgeCacheAction.php
https://github.com/em92/rss-bridge/blob/instagram-rabbitmq/actions/PullJobQueueAction.php

[dvikan]

This pr reminds me of a previous issue where they wanted to use an api key in the url to access feeds. This is because their client didnt support HTTP BASIC AUTH.

I prefer to just put this parameter in the url e.g. ?action=ClearCache&key=f423f34f3f3f

Because will make it very use to just e.g. invoke curl without messing with headers.

Also maybe reuse the authentication section from config?

; Enables authentication for all requests to this RSS-Bridge instance.
;
; Warning: You'll have to upgrade existing feeds after enabling this option!
;
; true  = enabled
; false = disabled (default)
enable = false

username = "admin"

; This default password is public knowledge. Replace it.
password = "hunter2"

I prefer ApiAuthenticationMiddleware over APIAuthenticationMiddleware

Lastly I dont think those http codes 403 are sent to client.

[em92]

I prefer to just put this parameter in the url

As result, I will keep both methods, using header and using query parameters. First one is for security, second for easy usage.

[dvikan]

401 Unauthorized is the status code to return when the client provides no credentials or invalid credentials. 403 Forbidden is the status code to return when a client has valid credentials but not enough privileges to perform an action on a resource.

[dvikan]

This class is not in use right now and is a useful class for protecting resources that require the use of access_token. Also nice with a new config access_token that can be used for lots of things.