Make API CORS settings configurable in config settings
At present the API CORS config is hard-coded.
- Move into config
-
Enable global config and per route config settings
- For dev keep API addressable from named list of client origins
- For live make API addressable from anywhere
- Limit POST /client endpoint to localhost
At present POST /client is unauthenticated. The idea is that only we do this which also allows us to make everyone's client ids unique/sensible/consistent. So for the trials we can just ssh onto the box, curl a client and send out the credentials. Ultimately we could do something like add an initialisation step where if there are no clients it generates an admin account and does something to notify the user about the creds.