M2M authentication for GraphQL API

[japsu]

This came up while working on issue #346, PR #375.

If we want to support non-logged in users uploading files, we can't perfectly lock down the initFileUpload mutation via CBAC. But I can see there could be some potential for abuse as it returns a presigned url that could be used by anyone. Then again, currently anyone could spam survey responses to a form that doesn't require login by spamming the createSurveyResponse mutation.

One option that crosses my mind is that at the moment no-one else than the v2 backend needs to be able to upload files or create survey responses. So we could introduce some form of M2M authentication between the v2 backend and the backend proper, keep (most of the) queries stil publicly available and lock down the mutations behind M2M authentication.

Instead of generating another set of M2M credentials, we could use the client id and client secret already configured for OIDC. However, oauth_toolkit is sussy baka and only supports one type of grant per client, so with the current stack that may require more manual tunk.

Another option would be to use a bona fide django.contrib.auth.models.User with the existing kompassi-apps group that restricts the user to using HTTP Basic authentication (no interactive login), and then :meowth:.

[japsu]

Then again, the spammer could then move the spam on the Server Actions level, so is there really anything to be gained here? Perhaps introduce throttling at the initFileUpload and createSurveyResponse mutations.