admin auth: server and client

[jmensch1]

This does two main things:

Token-based auth

The backend now has a users table along with routes for creating users and for logging in. The users table stores first name, last name, email, and password hash. There are routes for user registration and login.

An admin clent

I took food-oasis's frontend and removed everything except the auth components. So you can register, login, and logout. No email notifications yet, and no forgot password feature.

Other things

• created a controllers folder in the backend so that routes can be really simple
• switched the DB to use camelCase instead of snake_case (as discussed on slack)

[jafow]

This is a neat pattern

[jafow]

Do we need camel case here passwordHash?

[jmensch1]

so the files in _misc aren't being used right now, I'm just saving them for when I make the migrations real. I'll def fix that when I do

[jafow]

what Http response code gets returned out here?
We should return HTTP 401 here or further up stream on failure

[jmensch1]

The /login route returns a 200 if email is not found. But we return a 401 if the user ever attempts to access a route requiring authentication, and their request doesn't include a valid, unexpired token (see @middleware/authenticate).

My thinking is that we should return a 200 in the email-not-found scenario because because the /login route itself doesn't require a token, and it would confuse things a bit to return a 401 for a route not requiring a token.

[jafow]

Cool this isn't a show stopper at all and better to get this in. but will put into an issue so we can catch later because we should follow the http spec.
401 for failed login (no email or wrong password)
403 for forbidden (you are authenticed but do not have permission to view the resource)