Issue temporary auth tokens for guest accounts, and allow tracking of these tokens

[ShadowJonathan]

Pitch

Have Mastodon Web acquire a "guest token" when loading a page, so that it can issue all further API requests through this token.

Then allow admins (or developers) to set access limitations to this token, such as IP ranges, browser AP, or other markers, to then recognise a user by.

Motivation

After figuring out that someone is specifically scraping /accounts/:id/statuses with account IDs they previously got, I want to lock down our server, and/or make it more difficult to make actors "simply" use open API access like this to grab posts.

First I looked to close API access completely unless it had a browser cookie, but API requests dont contain a browser cookie (which could implicitly have contained a browser session)

This approach would at least slow down unbounded and unchecked scraping, and allow admins to build tools to track, check, and block suspicious traffic.

[solonovamax]

also, perhaps:

• rate limits for how frequently a new "guest token" can be issued for an ip, or ip ranges. (if the guest token only is valid for, say, 15 mins, then allow more than 1 token per 15 mins, as sometimes legitimate users may clear browser cookies and re-request a page, only to be blocked)
• allow admins to disable the guest token all-together, if they do not want unauthenticaed users to view posts
• limitations to frequency of requests even when you have a guest token