Limit access to the API

[parberge]

Right now everyone can access our API if they know the URL.

I think one simple solution would be to use security groups in AWS, and only let our own services (timereport-slack and timereport-web) access it.

[parberge]

Since timereport-api needs to be public and accessed via client (when using timereport-ui) we can't rely on aws security groups.

We need to build some auth ourselves for this.

[parberge]

Maybe this is something that we can use?

https://aws.github.io/chalice/topics/authorizers.html#amazon-cognito-user-pools

Never used cognito and I've not checked costs etc.