Add access control for public endpoints (Web and Installed Application)

[sebgie]

This belongs to the OAuth Epic: #4004 - please read this for the big picture of what this issue is for :)

---

Requires #4174

This issue deals with ensuring that only allowed web and installed clients are able to access the Ghost API. The goal is to give the operator of a blog the chance to deny access for clients that are not approved. If the client authentication as described in RFC 6749 2.3 succeeds, only access to public API endpoints is granted. Since the same mechanism is used for installed applications it is not guaranteed that the client can keep secrets and therefore no additional permissions are granted.

Client Authentication can be done using two methods:

• Basic Auth Header:
  • Header: Authorization: Basic base64(client_id:client_secret)
  • Use Passport.js to implement the functionality. (Example)
• Request body:
  • already implemented in auth-strategies.js

[ErisDS]

I'm closing all OAuth and most API issues temporarily with the later label.

RE: OAuth, for the next 2-3 months we'll be implementing an official Ghost OAuth login system, providing global access to all Ghost blogs with a single login. We'll be opening issues around this system soon, and I don't want to cause confusion with OAuth for the API.

JSON API Overhaul & OAuth access are currently scheduled next on the roadmap