Initial auth key implementation

[hategan]

This implements a workflow for requesting authentication keys through email.

The flow starts with an authentication token request page, which is a capthca-protected email entry. By default, free email services are rejected, but the user is given the opportunity to ask for an exception by justifying, in plain language, why an exception should be made. An admin email then receives the respective text and can approve or deny the request. If using an institutional email or if the exception request is approved, an email with a token is sent to the user. The user is given instructions on how to save and use the token.

Tokens are stored salted and hashed in the database, so a compromise to the database does not mean that the tokens are compromised.

[hategan]

This is currently a draft because I want to make sure the deployment scripts properly install and configure relevant packages (e.g., postfix)

[andre-merzky]

I like the approach. It's quite some machinery though to get this up and running (postfix). But I don't see a better generic way either... :-/

[hategan]

I like the approach. It's quite some machinery though to get this up and running (postfix). But I don't see a better generic way either... :-/

Yeah, I was worried about the same thing. But then I managed to set postfix up on my laptop fairly easily and it worked surprisingly well.

I'll deploy this on a test server so we can test it out. One thing that would be nice is a mailing list to send admin requests to.

[hategan]

This should now be ready for review.
It goes together with ExaWorks/psij-python#408
There is a deployment on https://psij.testingeval.psij.io and https://sdk.testingeval.psij.io

You should use psij-ci-setup with PR #408 in psij-python and make sure you set server_url = https://psij.testingeval.psij.io in testing.conf before invoking psij-ci-setup, since the prompts are based on that setting. However, because #408 is not merged yet and the CI driver is always taken from main, you'll need to manually add the key in testing.conf by saying key = "<contents of ~/.psij/key>" (note that it's ~/.psij/key and not ~/.psij/.key -- the dotted one is the old style key and these are only accepted by the server if used previously, which won't be the case for the testing server).

For the SDK, most of this story won't matter and you'll have to request a key manually at https://sdk.testingeval.psij.io/auth.html. For now, you'll also have to send me your email address because the testing server is using a temporary mail gateway (AWS SES) that requires all destination emails to be verified before use.

A note: AWS automatically blocks egress on port 25, so I had to use a mail gateway. However, I got them to remove the block on the LLNL AWS instances and I'll try to configure postfix to send mails directly, but probably not tonight.