New API backend which gets a full X509 certificate, verifies it,
and extracts the subject.  To be used in the cloud deployment
with Traefik.

Add some information to VOEvents and rearrange some things:
  * Add EM Bright information (BNS, NSBH, BBH, Terrestrial) in a
    Group in the What section
  * Put ProbHasNS and ProbHasRemnant in a Group and rename to 'HasNS'
    and 'HasRemnant'

See https://git.ligo.org/lscsoft/gracedb/issues/77

superevent_id is now always default superevent ID (SXXXXXXa),
while a new 'gw_id' field is either None or the GW ID.
We also add the 'far' field which is just the preferred event's FAR.
Finally, we remove some fields for unauthenticated users.

No point in allowing access since unauthenticated users don't
see graceids anywhere else and they can't access the events
anyway.

For the base test class which creates an LV-EM user and the
LV-EM observers group, we now also create the basic LV-EM group
and add the user to it as well.

Adding/updating tests of unauthenticated access to the
superevents API.

We now have a single API endpoint, /api/, which can handle all
authentication methods directed to it.  The /apibasic/ and
/apiweb/ URLs will probably be maintained for legacy reasons,
but will not include any additional logic (they will just be
carbon-copies of /api/ under a different namespace).

Some of the "main" API views now use the default permissions
as defined in the settings, rather than individually set
permissions.

Added a viewset mixin which causes the viewset to inherit the default
permissions defined for the API in the settings file, rather than
overwriting them if any permission classes are specified in the
class definition.

This helps to allow global control of unauthenticated access with
a single settings variable (see previous commit).

Complete rework of authentication middleware and backends for
both the web view and the API. There is now a single URL (after
the login page) where the shibboleth attributes are put into
the session and the user is authenticated and a persistent
Django session is created.

Utility function for determining whether a request is directed at the
API.  Can specify that the check is for a certain API "type", like
shibboleth, X509, or basic.

We now use ValidateDestroyMixin rather than SafeDeleteMixin for
handling removal of events from a superevent.  Some additional
logic in other places was no longer needed.

Some of the search utilities were still in the separate
events and superevents apps, so we moved them to the search app
and tried to clean things up a bit.  It's still kind of a mess
and probably not worth doing a full cleanup until we rework
the search.

Create new CustomDecimalField for handling float inputs better
than they are handled in rest_framework.fields.DecimalField.

All calls to event.graceid() -> event.graceid.

Enforce label protection through the API for applying labels,
removing labels, and creating events and superevents with labels
attached.  We also don't allow users to reapply a signoff request
label when a signoff status label is already applied (e.g., can't
apply ADVREQ when ADVNO already exists).

New mixin for doing some kind of validation on the request data
or the instance before destroying it.

Want to see what is triggering this functionality, if it is
being triggered at all.