Session authentication from any domain

[jes490]

Hello!

First of all - thanks for the package! And to the issue...

In airlock documentation it's said that

Airlock will only attempt to authenticate using cookies when the incoming request originates from your own SPA frontend.

I thinks that's a bit misleading. Actually airlock will attempt to authenticate using session cookie when referer header with your first-party domain is sent - which can be easily done from any domain or server (with GuzzleHttp for example).

Because of that you can't actually be sure that requests sent from third-party domains are authenticated using authorization token and not a session. So you can't rely on number of features (such as limiting requests count based on user api token and so on, because user always can exploit session authentication).

So what do you guys think? Is there any way to be sure that we are authenticated with authorization token? Should the possibility of changing referer and authenticate with session from any domain be mentioned in documentation?

[driesvints]

Atm no plans but if you can implement this cleanly a PR maybe accepted by Taylor