Handle HTTP_AUTHORIZATION headers on all requests.

This introduces code to handle HTTP_AUTHORIZATION headers for all webapi
requests, without first requiring a 401 Unauthorized error. This allows
clients to pre-login, even for URLs that don't require authorization to
see content.

Since we now handle all this in a single place, @webapi_login_required
no longer needs to check the header and attempt to log in. This will have
the affect of effectively disabling HTTP Basic Auth for the old API, but that
was never a supported feature anyway.

We prevent multiple logins when the user has already logged in by comparing
the requested username and the currently authenticated user's name, if any.
If the user is already authenticated, we don't bother hitting the auth
server or updating the last_login timestamp.

We also no longer specifically set user.last_login, as that's already done
by auth.login().

Tested running post-review and verified that authentication still works.

Tested using curl to pre-specify a username/password to a URL requiring
authentication, without any cookies. I was able to invoke the URL without
getting a 401 Unauthorized.

Review Board unit tests pass.