API Authorization

[amercader]

On top of #166 we need to implement some form of authorization.

I think that the best approach will be to implement API tokens. Goals are:

• Be able to authenticate calls being done to the API, specially POST calls to create sources, jobs. All these need to be linked to an actual user in the system
• Be able to mark sources are private so reports are not visible by default

For a first simple implementation we could go for:

• One token per user (if it really makes things easier, but at least on the backend it might be really easy to support multiple ones per user)
• Token needs to be able to be revoked / regenerated
• All API sources / reports are public

Tasks:

• Changes in user model to store API token(s).
• Methods to create / update / delete tokens
• Check authorization on API blueprint endpoints based on incoming Authorization header. We can use flask-login for this.
• Show user token on settings page (New tab on "Manage sources"?)

Second stage

• Sources created have a public param that defaults to True, but that can be set on creation time to False (or on update)
• Users can have multiple tokens. Tokens can have a descriptor to help identify them.

• Changes in model to store n tokens
• Check authorization on API source pages / reports to see if the source is private or not - MOVED Sources support in job API #166
• UI for handling multiple tokens