Add the ability to mint new API tokens through the UI

[nleroy917]

This PR adds the ability for users to create new API tokens on the fly for yourself through the PEPhub user interface. This is just a little easier than using a cli to do the same thing.

Directly addresses: #313

Features

• New "developer settings" modal that users can view on their namespace page
• New endpoints to mint new tokens, delete minted tokens, and view current suite of minted tokens. In theory, this can be done programmatically as well assuming you have an already-valid JWT

Caveats

• these JWT's live in memory on the server with a secret key created at server start time. Therefore, a server restart prior to the expiry of the token would revoke all tokens for all users

The revoking problem

Revoking a token doesn't invalidate it! Because the JWT is a self-contained entity, revoking it does nothing. As long as it was minted with the appropriate secret, it is valid!

A potential workaround is to keep a list of "bad"/"revoked" JWTs and check these on the server when the authorization header is parsed for authorized requests:

authorization = Authorization.replace("Bearer ", "")
if authorization in BAD_JWTS_LIST:
    return {"code": 401, "message": "This token is invalid"}
else:
    # parse

A downside to this is it sets the stage for a nefarious actor to pollute the "bad tokens" in-memory store by continuously minting and revoking tokens until memory runs out. This could be solved via rate limiting the minting of tokens.

[nleroy917]

the "bad tokens" implementation is easy and with the help of a library like slowapi, could be only a few lines of code.

[nleroy917]

A user can only mint 5 tokens max is another great idea proposed by @khoroshevskyi

[nleroy917]

Maybe a combination of everything would be sufficient to deter anyone from being mean and crashing pephub :)

[nleroy917]

Ok -- I have implemented:

1. rate limiting for minting tokens
2. A bad JWTs list that checks for "revoked" tokens

I suppose yet another option we could employ is periodically purging the "bad jwts" list and checking for expired keys (they can be removed since they will be rejected anyways on the basis that they are expired).

[nleroy917]

Last question I have is what to do here:

[nleroy917]

Last thing: clean up the dev modal

[nleroy917]

@khoroshevskyi this is ready for review. Only thing that I haven't tested is deleting all PEPs -- I am afraid too since i have a couple I want to keep 😃 It should work though....

[khoroshevskyi]

Some changes needed,
but works really good