Make downloads server-side (python) API calls

[lbeaufort]

- [ ] Set up an IP-whitelisted API key for cloud.gov only, set up the CMS to use it in stage to test. Test by: Users shouldn’t be able to use that API key, but app should
- [ ] Check on API umbrella seemingly removing the / in the IP ranges (52.222.122.97/32 becomes 52.222.122.97 - is it a display issue?
- [ ] Check on where FEC_WEB_API_KEY and FEC_WEB_API_KEY_PUBLIC are used
- [ ] Look at unlimited API key configuration and API backend configuration
- [ ] Do we really need everyone to access the POST/download URL? We could restrict this role to just the CMS key.

We discovered that client-side (browser) API calls won't have the cloud.gov IP address, and it seems that the only way for that to really work would be to make the export call a server-side call.

Plan of attack:

• Investigate making the “Export” API call a server-side (Python) call so that the source IP is cloud.gov.

[lbeaufort]

We discovered that client-side (browser) API calls won't have the cloud.gov IP address, and it seems that the only way for that to really work would be to make the export call a server-side call.

Plan of attack:

• Investigate making the “Export” API call a server-side (Python) call so that the source IP is cloud.gov.
• On the API side, restrict /downloads/ to cloud.gov IP’s. See this PR (https://github.com/fecgov/openFEC/pull/3625/files) for application-level blocking, but we’d want to just whitelist cloud.gov for the /downloads/ endpoint.

[JonellaCulmer]

Closing this ticket in favor of this one: fecgov/openFEC#3630