disable cookie based auth on the API - mostly (#1070)

doc/api/api.raml

@@ -13,7 +13,7 @@ securitySchemes:
   cookie: !include securitySchemes/cookie.raml
   token: !include securitySchemes/token.raml
   oauth_2_0: !include securitySchemes/oauth_2_0.raml
-securedBy: [ token, oauth_2_0, cookie ]
+securedBy: [ token, oauth_2_0 ]
 
 traits:
   pageable: !include traits/pageable.raml

doc/api/apis/mappings.raml

@@ -1,7 +1,7 @@
 #type: collection
 get:
   is: [ embeddable: { embedFields: "user,updated_by,map" }, orderable, pageable ]
-  securedBy: [ null, token, oauth_2_0, cookie ]
+  securedBy: [ null, token, oauth_2_0 ]
   responses:
     200:
       body:
@@ -32,7 +32,7 @@ post:
   #type: item
   get:
     is: [ embeddable: { embedFields: "user,updated_by,map" } ]
-    securedBy: [ null, token, oauth_2_0, cookie ]
+    securedBy: [ null, token, oauth_2_0 ]
     responses:
       200:
         body:

doc/api/apis/maps.raml

@@ -1,7 +1,7 @@
 #type: collection
 get:
   is: [ searchable: { searchFields: "name, desc" }, embeddable: { embedFields: "user,source,topics,synapses,mappings,contributors,collaborators" }, orderable, pageable ]
-  securedBy: [ null, token, oauth_2_0, cookie ]
+  securedBy: [ null, token, oauth_2_0 ]
   queryParameters:
     user_id:
       description: |
@@ -40,7 +40,7 @@ post:
   #type: item
   get:
     is: [ embeddable: { embedFields: "user,source,topics,synapses,mappings,contributors,collaborators" } ]
-    securedBy: [ null, token, oauth_2_0, cookie ]
+    securedBy: [ null, token, oauth_2_0 ]
     responses:
       200:
         body:

doc/api/apis/metacodes.raml

@@ -1,7 +1,7 @@
 #type: collection
 get:
   is: [ searchable: { searchFields: "name" }, orderable, pageable ]
-  securedBy: [ null, token, oauth_2_0, cookie ]
+  securedBy: [ null, token, oauth_2_0 ]
   responses:
     200:
       body:
@@ -9,7 +9,7 @@ get:
           example: !include ../examples/metacodes.json
 /{id}:
   #type: item
-  securedBy: [ null, token, oauth_2_0, cookie ]
+  securedBy: [ null, token, oauth_2_0 ]
   get:
     responses:
       200:

doc/api/apis/synapses.raml

@@ -1,7 +1,7 @@
 #type: collection
 get:
   is: [ searchable: { searchFields: "desc" }, embeddable: { embedFields: "topic1,topic2,user" }, orderable, pageable ]
-  securedBy: [ null, token, oauth_2_0, cookie ]
+  securedBy: [ null, token, oauth_2_0 ]
   responses:
     200:
       body:
@@ -34,7 +34,7 @@ post:
   #type: item
   get:
     is: [ embeddable: { embedFields: "topic1,topic2,user" } ]
-    securedBy: [ null, token, oauth_2_0, cookie ]
+    securedBy: [ null, token, oauth_2_0 ]
     responses:
       200:
         body:

doc/api/apis/tokens.raml

@@ -3,12 +3,14 @@ get:
   description: |
     A list of the current user's tokens.
   is: [ searchable: { searchFields: description }, pageable, orderable ]
+  securedBy: [ token, oauth_2_0, cookie ]
   responses:
     200:
       body:
         application/json:
           example: !include ../examples/tokens.json
 post:
+  securedBy: [ token, oauth_2_0, cookie ]
   body:
     application/json:
       properties:
@@ -22,6 +24,7 @@ post:
           example: !include ../examples/token.json
 /{id}:
   #type: item
+  securedBy: [ token, oauth_2_0, cookie ]
   delete:
     responses:
       204:

doc/api/apis/topics.raml

@@ -1,7 +1,7 @@
 #type: collection
 get:
   is: [ searchable: { searchFields: "name, desc, link" }, embeddable: { embedFields: "user,metacode" }, orderable, pageable ]
-  securedBy: [ null, token, oauth_2_0, cookie ]
+  securedBy: [ null, token, oauth_2_0 ]
   responses:
     200:
       body:
@@ -31,7 +31,7 @@ post:
   #type: item
   get:
     is: [ embeddable: { embedFields: "user,metacode" } ]
-    securedBy: [ null, token, oauth_2_0, cookie ]
+    securedBy: [ null, token, oauth_2_0 ]
     responses:
       200:
         body:

doc/api/apis/users.raml

@@ -1,7 +1,7 @@
 #type: collection
 get:
   is: [ searchable: { searchFields: "name" }, orderable, pageable ]
-  securedBy: [ null, token, oauth_2_0, cookie ]
+  securedBy: [ null, token, oauth_2_0 ]
   responses:
     200:
       body:
@@ -9,7 +9,7 @@ get:
           example: !include ../examples/users.json
 /{id}:
   #type: item
-  securedBy: [ null, token, oauth_2_0, cookie ]
+  securedBy: [ null, token, oauth_2_0 ]
   get:
     responses:
       200:

doc/api/pages/cookie_tutorial.md

@@ -1,3 +0,0 @@
-One way to access the API is through your browser. Log into metamaps.cc normally, then browse manually to https://metamaps.cc/api/v2/users/current. You should see a JSON description of your own user object in the database. You can browse any GET endpoint by simply going to that URL and appending query parameters in the URI.
-
-To run a POST or DELETE request, you can use the Fetch API. See the example in the next section.

doc/api/pages/getting-started.md

@@ -1,2 +1,2 @@
-There are three ways to log in: cookie-based authentication, token-based authentication, or OAuth 2. If you're testing the API or making simple scripts, cookie-based or token-based is the best. If you're developing an app and want users to be able to log into Metamaps inside your app, you'll be able to use the OAuth 2 mechanism. Check the security tab of any of the endpoints above for instructions on logging in.
+There are two ways to log in: token-based authentication, or OAuth 2. If you're testing the API or making simple scripts, token-based is the best. If you're developing an app and want users to be able to log into Metamaps inside your app, you'll be able to use the OAuth 2 mechanism. Check the security tab of any of the endpoints above for instructions on logging in.
 

doc/api/pages/token_tutorial.md

@@ -1,25 +1,26 @@
-If you are logged into the API via another means, you can create a token. Once you have this token, you can append it to a request. For example, opening a private window in your browser and browsing to `https://metamaps.cc/api/v2/users/current?token=...token here...` would show you your current user, even without logging in by another means.
+You can create a token by using the API, or you can get your first token at https://metamaps.cc/tokens/new. Once you have this token, you can append it to a request. For example, opening a private window in your browser and browsing to `https://metamaps.cc/api/v2/users/current?token=...token here...` would show you your current user, even without logging in by another means.
 
-To get a list of your current tokens, you can log in using cookie-based authentication and run the following fetch request in your browser console (assuming the current tab is on some page within the `metamaps.cc` website.
+To get a list of your current tokens (while logged in to the main site), you can run the following fetch request in your browser console (assuming the current tab is on some page within the `metamaps.cc` website. The token you need to append to the url will look something like `T1ZI012rseqF1XZWFBVj4JSXR5g3OpYC`, but this example token won't work for you. You need your own.
 
 ```
 fetch('/api/v2/tokens', {
   method: 'GET',
-  credentials: 'same-origin' // needed to use the cookie-based auth
+  credentials: 'same-origin', // needed so the API knows which account you're logged in to
 }).then(response => {
   return response.json()
 }).then(console.log).catch(console.error)
 ```
 
-If this is your first time accessing the API, this list wil be empty. You can create a token using a similar method:
+If this is your first time accessing the API, this list wil be empty. You can create a token over the API using a similar method:
 
 ```
-fetch('/api/v2/tokens', {
-  method: 'POST',
-  credentials: 'same-origin'
+fetch('/api/v2/tokens?token=T1ZI012rseqF1XZWFBVj4JSXR5g3OpYC', {
+  method: 'POST'
 }).then(response => {
   return response.json()
-}).then(console.log).catch(console.error)
+}).then(payload => {
+  console.log(payload)
+}).catch(console.error)
 ```
 
 `payload.data.token` will contain a string which you can use to append to requests to access the API from anywhere.

doc/api/securitySchemes/cookie.raml

@@ -1,3 +1,2 @@
-description: !include ../pages/cookie_tutorial.md
 type: x-cookie
-displayName: Secured by cookie-based authentication
+displayName: Accessible using cookie-based authentication