API Authentication

[s2t2]

Right now for testing purposes the API is accepting requests without verifying they originate from the client application. Before moving beyond the testing phase, the API should implement a mechanism for authenticating the client application.

[s2t2]

I think maybe instead of using IP-related checks or API keys, we should pass a token from the client to the server in request headers. Resources:

• http://railscasts.com/episodes/352-securing-an-api?view=asciicast
• https://www.codeschool.com/blog/2014/02/03/token-based-authentication-rails/
• https://sourcey.com/building-the-prefect-rails-5-api-only-app/
• http://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token.html