Add access control for public endpoints (Public Clients)

[sebgie]

This belongs to the OAuth Epic: #4004 - please read this for the big picture of what this issue is for :)

---

Requires #4174

Access to public API endpoints is not unrestriced. A request to public API endpoints from a JavaScript application needs to comply with the following rules. Public endpoints in this context are endpoints that don't need an authorized user for being accessed.

• The request needs to be sent with a valid client_id. The client_id is added as URL parameter or sent with the request body. This mechanism is already used for the Ghost admin and implemented in auth-strategies.js.
• Every request from a JavaScript application has to be sent using AJAX. This can be detected by checking the X-Requested-With header or simply using the req.xhr value that express.js adds to every request.
• The originating domain has to be valid for a request to the API. When a new client side application is added to Ghost the trusted domains have to be added and every request for a certain client_id is checked against those values. The calling host can be found out by reading the host header (var host = req.get('host');).

Header values are not always trustable but checking them should be enough to deny random attempts to access the API.