Security implementation complicates design of browser based clients

[munk]

Currently, the design of the rest service requires any web clients to use a server side controller in order to mediate communication between the components.

Several changes need to be made to this service to resolve this. There are some issues already open around this topic, but this thread is a comprehensive look at the problem.

1. CORS needs to be configured to allow preflight OPTIONS requests to resolve correctly from all domains.
2. CORS needs to allow requests from all IP addresses that might legitimately access it. Perhaps this could be a set of network ranges stored as config or in the database.
3. Modern browsers have a native widget for basic auth. This breaks webdriver tests. One option is to disable it for local development. A protocol that doesn't use a native widget such as OAuth is preferable though.
4. Authentication is only configured for User entities, but passwords are available for fieldworkers as well. This means to authenticate fieldworkers their hashed credentials become available in the frontend for any user to view.

The result is that clients need to reproduce the models for the rest service several times and handle authorization on their own. They may also need to create a dedicated "api user", which is not well modeled currently.