Ore V2 API design

[progwml6]

This is subject to negotiation as to the order of implementation, and what other things are considered high priority. All v2 endpoints should be in swagger or openapi. other sponge projects using these apis will rely on auto generated clients based on these api definition files.

All endpoints except potentially download should require tokens

• see JWT Implenetation #441 and Json Web Token - JWT SpongeAuth#155
• All endpoints should be grouped via routes, and in code as if ore's backend was separate microservices to enable us to split out ore into microservices in the future to enable us to scale ore better.
• Api keys need further control as to scoping API rename, and add scoping controls, and owner/organization level keys #439

Priority endpoints to implement equivalents of in v2 api

• https://github.com/SpongePowered/OrePlugin/blob/master/src/main/java/org/spongepowered/ore/client/Routes.java
• any apis used in this PR are also a priority Ore Deploy plugin SpongeGradle#9
• Add ability to send release notes using the API #428
• Add wiki upload API #437

[phit]

Wanted to write down my thoughts in the API right now:

1. Consider making sessions optional for public use, they add no purpose for us. People can simply create new sessions on a new IP at any point in time to bypass any form of rate limiting you could impose on a session. I would suggest simply rate-limiting public users by IP address and not session key. If people do wanna use sessions on public use, fine but I don't see an argument for enforcing it.

2. Currently after receiving your session the HTTP standard Authorization header is being used, there's a few issues with this approach how it is right now:

   • some libraries add standard handling for this header and may simply not support our obviously non-standard schema
   • if we stick to using this header we need to follow the spec, see https://stackoverflow.com/questions/7802116/custom-http-authorization-header/11420667#11420667
     Authorization: ApiSession key > Authorization: OreAuth session=key
     OreAuth and session are placeholders we could change that to whatever we desire really, we just need to stick to the spec of the standard header.

   What I would suggest instead is just creating our own header, this will avoid any potential conflicts. I would suggest: OreSession: key
   I also read the linked issues for using JWT, but I agree this is currently probably not needed.