ANN: api keys rewrite

[williamstein]

Yesterday and today I finished and made live a new api key implementation, e.g., this is now in account settings:

There is something similar at https://cocalc.com/config/account/api and ALSO in the settings page for all projects.

These newapi keys have an expire date, a name (which you can change at any time or repeat), the secret key itself doesn't get stored in the database (which is much more secure), and there are project specific api keys that only work for api calls for a specific project, rather than for everything. I left in the old api key functionality, but with messages that people should delete them, so the old keys still remain fully supported.

With the new api keys you can have up to 100 different keys active at once. A key can be set to expire at any time and then it is automatically deleted. You can edit the expire date and the name of the key at any time. It's a much better model. Behind the scenes we don't store the key in the database; instead, we just store a hash of it (the same sha-512 with 1000 rounds and salt as for passwords), so we can confirm somebody knows their api key without having to have the key in the database; this is much more secure. I also really like that I can make a key with a 1-day expire, play around with it, and know it's not just going to be a ticking time bomb.

Read more about the API here: https://doc.cocalc.com/api/ and https://doc.cocalc.com/api2/index.html

The motivation for doing this is that project-specific API keys are needed for some new functionality we're implementing right now that will support connecting external computers to a CoCalc project to provide much more powerful compute. Among other things, this will greatly expand the sort of compute we can offer to include GPU's and other vastly more powerful options, and also to support people plugging in their own compute resources.