[NEW] Tiki API

[NEW] API - front controller exposure of ajax-brokered services for an API access, bearer token authentication, token management, modify Tiki init process for API access - stateless, no (session) cookies, js or CSRF protection

This is the bare minimum of a sensible API access to Tiki ajax-brokered services removing session/cookie/javascript dependencies, CSRF protection and using stateless authentication through a bearer header token. Each API request should be authenticated with a token created by Tiki admin. Each token gives their owner access with one and only one Tiki user. Configure permissions based on that user's groups.

TODO:

• modify RemoteResults and tracker synchronization to make use of this new API
• go through actual services to ensure we return sensible results (e.g. no html rendering, use json objects)
• enforce permissions through Perms subsystem for all API calls (e.g. currently certain tracker actions through ajax are reserved for tracker admins only when they could be opened for users actually having permissions to do so)
• extend authentication mechanisms (especially oAuth)
• consider anonymous API access once proper permissions are applied to all exposed endpoints
• research and document API (possibly self-document existing services)
• map or use an adapter/bridge for ajax to REST endpoints
• API versioning - unfortunately not easy with current ajax services, we probably need the adapter to a REST API before adding versions ... possibly many more things but should be a good start

All TODO items completed for first version of the API.