Security: require API key for firmware snapshot endpoint (VULN-002)

[tobiasmcnulty]

Fixes #113.

Summary

Adds mandatory MDM_FIRMWARE_API_KEY bearer-token authentication to firmware_snapshot_view. Requests without a valid key receive HTTP 401. If the key is not configured in the environment, the endpoint also returns 401 (previously it was silently unauthenticated).

Key changes

• config/settings/base.py: new MDM_FIRMWARE_API_KEY = os.getenv("MDM_FIRMWARE_API_KEY", "") setting
• apps/mdm/views.py: mandatory auth gate before any body parsing; missing key now returns 401 instead of logging a warning
• tests/mdm/test_security.py (new): TestFirmwareSnapshotAuth — regression tests for unauthenticated, correctly-keyed, wrong-keyed, and missing-key cases
• tests/mdm/test_views.py (new on main): TestFirmwareSnapshotView with set_api_key autouse fixture so that existing functional tests pass under mandatory auth

Required Operator Action

Set MDM_FIRMWARE_API_KEY in the environment and update all firmware-reporting devices to include Authorization: Bearer <key>.

Conflict resolution note

This cherry-pick spans two commits from 99-policy-editor-v2 (d6fa0ce and c574a04). d6fa0ce also contained unrelated policy_add view changes (scoped to the feature branch's policy editor refactor) which were excluded during conflict resolution. tests/mdm/test_views.py does not exist on main; a minimal file was created containing only TestFirmwareSnapshotView.

Cherry-picked from

Commits d6fa0ce and c574a04 on 99-policy-editor-v2.

[tobiasmcnulty]

@copelco @simonkagwi What do you think of this change? We could add the API key to the firmware app's managed configuration (or even generate and push it out automatically via Publish MDM). Probably a good idea long-term, and there's no harm in adding this now since it's not actively in use?

[simonkagwi]

Looks good to me, I just have one small suggestion on the comment in the settings file. Adding the API key to the app's managed configuration sounds good too. 👍