API requests need to know what user is sending them and respond appropriately

[dougmakingstuff]

Right now, if you have a copy of Postman, you can get any data from any of the API endpoints, regardless of whether or not you should access that data.

We need to lock down the API so that:

• Only authenticated, authorized users can request data
• Users only see the data they are authorized to see. For example, a property manager should not be able to request data on a tenant that does not live on one of their properties.