Simple authentication + gallery bulk selection

[gantoine]

Another big PR with a million things included, who could have seen this coming? 🙃

Authentication

We've added support for multiple forms of authentication, which can be enabled with the ROMM_AUTH_ENABLED environment variable. The hybrid authentication middleware includes support for sessions, Basic authorization header, and Bearer OAuth2 access tokens.

• ROMM_AUTH_USERNAME and ROMM_AUTH_PASSWORD should be passed in to create the default admin user
• ROMM_AUTH_SECRET_KEY is required and can be generated with openssl rand -hex 32

Sessions

When the /login endpoint is called with valid credentials, a session_id is generated, stored as a cookie and sent to the browser. The same token is used to create a cache entry in Redis (or in-memory if Redis is disabled) which maps the token to the user. This way no sensitive information is stored on the client. Note that only Redis-backed sessions will survive a container restart, as in-memory sessions are wiped. Sessions currently do not expire, but this is something we can if/when Redis becomes required.

Basic authentication

Requests can be made to protected API endpoints with an authorization header. The token is the base64 encoded value of username:password.

curl https://romm_url/api/platforms -H 'Authorization: Basic YWRtaW46aHVudGVyMg=='

OAuth

Along with the above forms of authentication, we've added an endpoint to generate authentication tokens (/api/token). Authenticating with that endpoint with return an access_token valid for 15 minutes, and a refresh_token valid for 2 weeks which allows you to generate a new access token.

The endpoint accepts a username, password and a list of scopes, in the format read:roms write:roms read:platforms.... The list of scopes and endpoints are available to browse via Swagger UI or Redoc (see next section).

Note that the password grant type is the only one supported at the moment.

OpenAPI

As part of this work, our API endpoints are now OpenAPI spec-compliant. The raw JSON spec can be accessed from /openapi.json. We've also enabled access to Swagger UI at /api/docs and Redoc as /api/redoc.

Mutli-select

Rolled into this change is the ability to multi and mass-select ROMs in the library. Selected ROMs can be mass-deleted, force rescanned to fetch the latest info from IGDB, and downloaded concurrently. Shift-select and CTRL-select are both supported for easy selection.

Redis

Lastly, we've added the option to enable experimental support for Redis with the ENABLE_EXPERIMENTAL_REDIS environment variable. If enabled, a worker will start u, listed to all 3 queues (low, default, high) and process tasks as they're enqueued. Enabling Redis will have the following benefits:

• Browser sessions will persist across container restarts/rebuilds
• Scans will run in an async worker, unblocking the main thread
• IGDB access tokens will persist across container restarts/rebuilds

We plan to build more feature (like scheduled tasks) backed by Redis in the near future. If you'd like to try out Redis, remember to set REDIS_HOST and REDIS_PORT to the correct values for your setup.

Closes #24
Closes #50