Federated user accounts and organisation membership

[jlabusch]

To get this off the ground we added a Django layer with its own isolated user management... But that created a bunch of extra user management. Which is nice and simple, but a constant drain.
Let's just auth against WRMS instead, and look at the user's organisation membership there to send them to the right dashboard.

For now we won't attempt to make non-default systems safe; not everyone should necessarily be able to see every system even within "their" org. api/config/default.json will still define the "safe" SLA systems for now.

How about:

• Initial auth using https://wrms.catalyst.net.nz/api2/login
• See success, response.fullname and response.organisation_id
• Store the auth token as a cookie
• Refresh the token when needed
• Every so often, validate the token somehow (maybe with a hack like a no-op /api2/user_update call.) Doing it on every API call is probably excessive.
• Do something sane about CSRF
• Probably no persistent storage needed (i.e. nothing like the django_session table); we can get by with a single application instance (i.e. no load balancing to worry about) and don't care if server restarts force everyone to log in again.

[jlabusch]

Do we keep Django at all? Other than auth, it's doing a teeny tiny bit of HTML templating which we could move into JS.