Edx-drf-extensions

**WARNING**: **BREAKING CHANGES** were introduced separately in both 4.0.0 and 4.0.1.

-Remove constraint from drf-jwt
-Added support for latest version of drf-jwt

**WARNING**: **BREAKING CHANGES** were introduced separately in both 4.0.0 and 4.0.1.

Removed upper limit constraint for DRF in requirements.

* All django 2.2 tests were fixed and now edx-drf-extensions properly supports django>=1.11,<=2.2.
* djangorestframework-jwt library was replaced with drf-jwt to support django2.2.

**BREAKING CHANGES**:
* To preserve compatibility with existing clients, the `JWT_AUTH_HEADER_PREFIX` Django setting must be set to "JWT". This was the default in djangorestframework-jwt, but it changed to "Bearer" in drf-jwt 1.12.8.
* You may also need to add `rest_framework_jwt` and `rest_framework_jwt.blacklist` to the `INSTALLED_APPS` list.

ENABLE_ANONYMOUS_ACCESS_ROLLOUT flag was a temporarily used to facilitate rollout
of CSFR protection for MFEs. With that effort finished, the flag is no longer necessary
and is now being removed.

This removes flag and replaces it with
logic equivalent to setting ENABLE_ANONYMOUS_ACCESS_ROLLOUT to True.

In 3.0.0, the switch `oauth2.enforce_jwt_scopes` was removed, which
starts checking is_restricted in JWTs. This works fine for JWTs created
with the LMS, but uncovered a pre-existing bug that will only show
itself in the Ecommerce Service for certain JWTs which were meant to be
decoded with a custom jwt_decode_handler. In the Ecommerce Service only,
this custom jwt_decode_handler is set using the JWT_DECODE_HANDLER
setting.

This fix updates the JWT code to respect the JWT_DECODE_HANDLER setting
of JWT_AUTH, and uses the configured handler rather than assuming the
edx-drf-extensions version will always be used.

Additionally, the fix accounts for JWTs that are missing certain
claims in the payload (e.g 'is_restricted' and 'filters'), by using
appropriate defaults.

ARCHBOM-1036

The oauth2.enforce_jwt_scopes waffle switch was added temporarily for
the rollout of JWT scopes. This removes the toggle and replaces it with
logic equivalent to setting `oauth2.enforce_jwt_scopes` to True.

**BREAKING CHANGE:**

This removes a toggle that may or may not have been set in any
particular environment, and was defaulted to False.

*Before taking this upgrade:*
* Make sure your IDA includes `EnsureJWTAuthSettingsMiddleware` in its
declared `MIDDLEWARE` or `MIDDLEWARE_CLASSES`.
* Although you could first check and/or set the
`oauth2.enforce_jwt_scopes` waffle switch to True in all environments
for your IDA, this upgrade is unlikely to cause an issue. If you want to
play it safe, setting the switch first is how you do it, but then you
need remove the switch.

*After taking this upgrade:*
* Once the upgrade has been deployed and is stable, delete the
`oauth2.enforce_jwt_scopes` waffle switch from all environments for the
IDA with the upgrade.