Switch from cookie auth to bearer token auth

[rmil]

Currently we use a cookie to store the access token which works, but it does make development difficult as you need to modify your /etc/hosts file to a subdomain on the given domain. Then with HSTS in play, it does cause quite a thorn. This is because the access cookie will only work on the domain and wildcard of it.

So ideally we want to replace these with bearer tokens in the Authorization header. This should resolve the problem as we are no longer constricted to the domain.

This will also require the clients to be refactored as well, but shouldn't be too bad to do.

Success Criteria

• The access token given in /api/set_token no longer sets a HTTP cookie but instead returns the JWT in a JSON form.
• /api/test now checks for the authorization header
• Update any relevant documentation

In other applications

• web-api checks the authorization header for JWT.
• creator-studio and my-tv store the received JWT in memory and set the authorization header.

[COMTOP1]

This should have been closed ages ago