Implemented token-based API authentication.

Replaced the ApiKey concept with ephemeral tokens. Users and apps obtain a
token by authenticating the user credentials (to be implemented). The service
then generates a temporary token that is stored by the client and sent with
every request using the `Authorization-Token` header. The server verifies this
token to recognize and authenticate the request. With an authenticated user,
the server can use the user's role to authorize requests.

This implementation uses JSR 250 SecurityContext and security annotations.

src/main/groovy/com/jdbernard/nlsongs/model/ApiKey.groovy

@@ -1,7 +0,0 @@
-package com.jdbernard.nlsongs.model
-
-public class ApiKey implements Serializable {
-
-    String key
-    String description
-}

src/main/groovy/com/jdbernard/nlsongs/model/Role.java

@@ -0,0 +1,3 @@
+package com.jdbernard.nlsongs.model;
+
+public enum Role { admin, user }

src/main/groovy/com/jdbernard/nlsongs/model/Token.groovy

@@ -0,0 +1,17 @@
+package com.jdbernard.nlsongs.model
+
+public class Token implements Serializable {
+
+    String token
+    User user
+    Date expires
+
+    @Override
+    public boolean equals(Object thatObj) {
+        if (thatObj == null) return false
+        if (!(thatObj instanceof Token)) return false
+
+        Token that = (Token) thatObj
+
+        return (this.token == that?.token) }
+}

src/main/groovy/com/jdbernard/nlsongs/model/User.groovy

@@ -1,8 +1,17 @@
 package com.jdbernard.nlsongs.model
 
+import com.lambdaworks.crypto.SCryptUtil
+
 public class User {
 
     int id
     String username
     String pwd
+    Role role
+
+    public void setPwd(String pwd) {
+        this.pwd = SCryptUtil.scrypt(pwd, 16384, 16, 1) }
+
+    public boolean checkPwd(String givenPwd) {
+        return SCryptUtil.check(this.pwd, givenPwd) }
 }