API security - authentication, CORS settings

[alexbojko]

As API user:

I believe we should have authentication mechanism for API endpoints.
Possible solutions:

• basic auth - using nginx
  • usually for that case of auth login/passwords are stored in config file (not secure, hard to maintain)
  • nginx-db-auth to store login/password in DB
• API token - stored in DB
• third party SSO mechanism (OAuth) for example [Auth0](http://auth0.

Needs to be done in this scope:

• Choose authentication method
• Implement it on the API or Infra layer
• Write tests
• QA
• Deploy

[aih]

Of these, I lean toward the token approach. The API is intended for two purposes:

1. As a service for the BillMap UI
2. As a public API for others who may want to use the data.

The second goal is something we will implement in the future, but it is not a near-term goal.

For 1., we want enough security to prevent malicious use, but don't want to make our own use a lot more complicated. For this, rate limits and settings on nginx may be enough.

For 2. we want to support certain users who may call the API at higher volumes. For that, I think that tokens are a reasonable approach and consistent with other public APIs, like the ones at GPO.gov