Provider-based authorization, updates to geoservice auth routes

[rgwozdz]

This PR is primarily concerned with updates to the authentication and authorization implementation. The existing code has some limitations:

• primary issue is that it is left up to individual output-plugins to invoke the authorize method. This means that even if a Koop instance registered an auth-plugin, some outputs (e.g., vector-tile or OGC outputs) won't be secure

• the authenticationSpecification method defined by auth-plugins and intended to be used in output-plugin implementations is unnecessary. TMK, it's only ever been used to define a useHttp setting, which is only used in the output-geoservices plugin. Therefore makes more sense to just make that an option to the output-geoservices plugin, and we can simply the auth-plugin specification by removing this method

• registering an auth-plugin means that all requests to all registered providers get authorized by one method (the auth-plugins authorize method). Different providers might require different auth-methods.

• users/developers generally know how to develop a provider, and it would be nice if auth-methods could just be added to a given provider as opposed to generating a whole new auth-plugin

To address the listed limitations, this PR includes the following changes:

• move the invocation of the authorize method the koop-core's model "pull" methods (pull, pullLayer, pullCatalog, pullStream). This will leave the data secured regardless of the output-plugin by which it is accessed.
• allow providers to define their own authorize and authenticate methods. These methods will be used preferentially if defined, even if a auth-plugin is registered.
• eliminate use of authenticationSpecification method in output-geoservice. Add a useHttpForTokenUrl registration option instead

Other updates included here:

• update the output-geoservices routes; remove the /tokens route in favor of a rest/generateToken route that appears on current versions of the ArcGIS Online and Enterprise ArcGIS Server
• add owningSystemUrl to the rest/info response of output-geoservices
• drop support for "generic" and "file-system" plugin types. In practice, these aren't very useful. They simply create a class instance and tack it on to the koop instance as a property. This could just as easily be done outside the Koop class.

[changeset-bot]

🦋 Changeset detected

Latest commit: 1d72b58

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@koopjs/featureserver	Minor
@koopjs/koop-core	Major
@koopjs/output-geoservices	Major

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR