Auth for HPT endpoints

[shawaj]

Related to #464

/initFile.txt and /version endpoints should have a way to bypass them via some kind of auth.

Maybe via the gpg key we already use in manufacturing for the shutdown endpoint?

Ref https://github.com/NebraLtd/Hotspot-Production-Tool

[shawaj]

@robputt @kashifpk this is what we were discussing briefly on slack

[kashifpk]

@shawaj @robputt - We store the private key at the HPT and the hotspots have the public key to verify the paylaod that is sent. In order to verify requests coming in at hm-diag for /version or /initFile.txt we can make some kind of signed API key that can be passed in the Authorization HTTP header.

HPT knows the miner's IP and MAC address from the DHCP lease file. So perhaps we can encrypt the miner's MAC address using the GPG key and send it to hm-diag as the access key / authorization header?

Currently the key pair is only used for signing payloads for shutdown etc but current key also supports encryption/decryption.

Suggested new flow

1. When a new miner is detected, HPT generates a new API key by encrypting the miner's MAC address with the GPG signing key.
2. All requests sent from the HPT to the miner contain header Authorization: Bearer <API_KEY>
3. On hm-diag for endpoints that require it, the API_KEY is first validated (can be implemented as an authentication decorator).