🔒️(backend) restrict resource server views

We don't want every Service Provider to be able to request
every endpoint if those are not implementing a filtering on
the data returned. To prevent any data leak we enforce the
developers to manually "whitelist" each endpoint and add
the proper filtering when needed.

src/backend/people/settings.py

@@ -230,7 +230,10 @@ class Base(Configuration):
 
     REST_FRAMEWORK = {
         "DEFAULT_AUTHENTICATION_CLASSES": (
-            "core.resource_server.authentication.ResourceServerAuthentication",
+            # "core.resource_server.authentication.ResourceServerAuthentication",
+            # The resource server authentication is added on a per-view basis
+            # to enforce the filtering adapted from the introspected token.
+            # See ResourceServerMixin usage for more details.
             "mozilla_django_oidc.contrib.drf.OIDCAuthentication",
             "rest_framework.authentication.SessionAuthentication",
         ),