protect UI API calls with POST/csrf

[joefutrelle]

Right now we have GET API calls that users can call from non-browser clients, and some of them are expensive. For endpoints that are just used for the UI, they should be POSTs that require a csrf token.

[joefutrelle]

TODO: idedntify relevant endpoints

[mike-kaimika]

@joefutrelle
I think it might be easier to exclude endpoints then include them. The section from urls.py below are all the API ones. Are there any that should NOT be post requests?

ifcbdb/ifcbdb/dashboard/urls.py

Line 103 in 333374e

path('api/time-series/<slug:metric>', views.generate_time_series, name='generate_time_series'),

Same for the admin area:

ifcbdb/ifcbdb/secure/urls.py

Line 20 in 333374e

path('api/dt/datasets', views.dt_datasets, name='datasets_dt'),

Just a heads up that this will take some time to switch out. I spot checked a few of the dashboard URLs, and some of them are called from multiple locations in the code, and definitely using GET. So while fixing any particular endpoint is trivial, the time consuming part will be tracking down all the uses of that url and testing

[joefutrelle]

Agreed that this is not necessary for all endpoints and not essential for many of them. So I will identify the ones to target and we can just do those for now. My criteria are

1. Does the endpoint perform an expensive and/or asynchronous operation (e.g., mosaic computation)
2. Does the endpoint expose internal information like database IDs that callers should not rely on

I think this will be a reasonably small subset of the API endpoints. In the next round we would protect all API endpoints that aren't appropriate to be called from an external script but really only support the UI.

[mike-kaimika]

@joefutrelle I finished up the conversion of all the items that start with /api, minus about 4 of them that I think should remain as GETS (image links mostly). All changes are in the below PR. As mentioned in Slack, I've done the conversion AND tried to locate and test all instances where those methods are called, and everything looks good as far as I can tell

Updated Files
#326