Api authorization
Created by: astex
This provides handshake-style authentication for tunnelspider. Services can be set up to use either secret-based authentication or referrer-based authentication. In the first case, the service sends in a header containing a key and a secret, then receives a token in the response header. The referrer-based authentication case is similar, but the referrer is checked instead of a secret key. Subsequent requests require the token and key headers, which are checked against a Redis cache.
The referrer method is not very secure, but is needed to allow requests from true single-page applications. If we want to be more secure later, we can insist that services perform the handshake server-side and provide the token to their frontend. This has the drawback that services will need to provide a small server-side wrapper.