The jsonify decorator parses request payload as JSON
and puts it in request.json. The payload would normally
be a complex object, but if a client sends, let's say,
a single integer, then request.json is a python int.

The authorize decorator looks for API key first in request
headers, then in request body. It expects the request
body to be a complex object.

This commit changes adds the following validation rule in
the jsonify decorator: if request body is not empty, it
*must* parse as JSON, and the root element of the parsed
document *must* be a dict.

1. Drop API support for GET, DELETE requests with a request body.
Healthchecks had an undocumented quirk where you could authenticate a
GET or DELETE request by putting a '{"api_key":"..."}' in request body.
This commit removes this feature.

Note: POST requests can still authenticate either by sending
a X-Api-Key header, or by putting a "api_key" key in request body.
GET and DELETE requests can now only authenticate with the
request header.

2. Add missing @csrf_exempt annotations in API views
When client sends a HTTP POST request to a GET-only endpoint,
the server is supposed to respond with "405 Method Not Allowed".
Due to CSRF checking, a couple endpoints were responding with
"403 Forbidden" instead. Adding @csrf_exempt annotations fixes
the problem.