Add authorization support for download of PLN packages from OJS

[asmecher]

Currently the PLN plugin allows anyone with the deposit UUID to download the deposit. There should be some kind of authorization check to ensure that it's the PLN service downloading the package rather than a rando.

My recommendation:

• Use JSON Web Tokens, supplied to OJS by the PLN service using the Authorization HTTP header. (We have already added a similar mechanism for Coalition Publica.)
• This will require an API key to be generated in OJS and provided to the PLN service, i.e. during registration. The PLN service will have to store it.
• API keys are currently associated with user accounts, and grant access as though that user were logged in. Since it'll typically be the Journal Manager setting up the PLN plugin, we'll have to either...
  • guide the creation of a user account with lesser permissions, or
  • accept the risk of storing Journal Manager credentials in API key form, or
  • enrich OJS's API key tools to permit the creation of multiple API keys per account with varying permission levels. (This option has already been proposed for the Beacon; ask me for details.)
• This would be backwards-compatible, i.e. OJS versions without checks on the Authentication header would simply serve up the deposit as happens now, but OJS versions requiring authentication would check the header. However, PLN plugin users upgrading from no-auth to auth-requiring versions of the plugin would need to be informed of the need for an auth key in their PLN accounts.

[ubermichael]

This will require an API key to be generated in OJS and provided to the PLN service, i.e. during registration. The PLN service will have to store it.

Registration in the PLN is an HTTP GET from the journal to the staging server. Adding an API key to the get request, which already includes the journal UUID and URL, and storing it when receiving it shouldn't be difficult at all.