API: Add Authorization Bearer Token Support; Breakout & Update API

[pglombardo]

Description

This PR improves & cleans up the API:

• The Authorization: Bearer <token> header is the preferred method for all requests.
• Deprecated the X-User-Email and X-User-Token headers.
  • These auth headers will probably still be supported indefinitely for v1 of the API and not carried into v2.
• Broken out API routes into their own controller and namespace.
• Updated API documentation.

Some clients may need minor updates if they were relying on non-standard behavior.

If something breaks, it's likely due to one of the following:

• All API requests must be made to .json endpoints. (e.g. /p.json and NOT /p)
• Unauthorized requests will now return a 401 Unauthorized status code without a response body.
• Bad credentials will now return a 401 Unauthorized. Previously, the API would act anonymously and end up confusing countless victims.
• The API now enforces JSON format for all requests and request body.

See Also

• The JSON API in the doc portal
• The current API spec
• The API on Postman

Related Issue

Type of Change

• 📚 Examples / docs / tutorials / dependencies update
• 🔧 Bug fix (non-breaking change which fixes an issue)
• 🥂 Improvement (non-breaking change which improves an existing feature)
• 🚀 New feature (non-breaking change which adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to change)
• 🔐 Security fix

Checklist

• I've written tests (if applicable) for all new methods and classes that I created. (rake test)
• I've added documentation as necessary so users can easily use and understand this feature/fix.