Token-based authentication (WORK IN PROGRESS)

[amcgee]

This is a placeholder for a token-based authentication specification. This requires coordination with the backend team and careful consideration of security implications.

There are several challenges with the current cookie-based authentication system, notably among them the imminent switch to default SameSite: Lax cookie security in Chrome and Firefox browsers. This change will prevent our authentication cookies from being included in cross-site requests. While this is not an issue for same-site application hosting (the default in DHIS2), it does break existing developer workflows (localhost:3000 talking to debug.dhis2.org, for instance) as well as (importantly) external applications like public-facing dashboards which might want to fetch data from the DHIS2 API. There is a larger discussion around public data access and security to be had there as well.

We currently support CORS request filtering, but this feature becomes useless when cross-site cookies are disabled. At minimum we should de-duplicate those security gates.

OAuth is currently supported, though we should test its feasibility, but this requires each application to have a registered server component.