Don't use insecure Auth

[armaniferrante]

All http requests to the developer gateway specifiy 'X-OASIS-INSECURE-AUTH': 'example'. See https://github.com/oasislabs/oasis-client/blob/master/packages/developer-gateway/src/session.ts#L19.

@eauge can you comment on the appropriate path forward here? I.e., what is this field used for and should we make changes here?

[willscott]

we can not do it. we default the gateway to use nil auth now, so it doesn't need this example field

[eauge]

We need mechanisms to authenticate the user. One mechanism that we have is google auth. However, to make testing easy, and be able to have multiple users, we have 'X-OASIS-INSECURE-AUTH': 'example', so that we can have multiple users providing a different value so that their sessions will not collide.

In the case of NilAuth, which is another auth that @willscott added, collisions are avoided by making sure that sessions are always different. For the developer gateway though, all users will be the same user when using NilAuth.

In my opinion we may need to define an authentication mechanism that we can use at least for staging to make our lives easier, which still provides authentication but not tied to google oauth.

[willscott]

The setup here seems backwards - if it's a key for users to resume their sessions, they should be given that key from the gateway when their session is established, not get to set it themselves.

[eauge]

@willscott the setup for the sessions? we made the decision of using user generated UUIDs for sessions. How would you like this to work?

[armaniferrante]

This issue is resolved by #91. Let's resume this conversation in oasislabs/oasis-gateway#119.