This introduces new auth and webapi auth backends for performing API
requests using an API token. Users can have zero or more API tokens
linked to their account, and any will be valid for authentication. The
goal is to allow tokens for different access levels (read/write,
read-only) and, down the road, scopes.
Clients can use these when talking to the API by passing
Authorization: token <token_value>
in the request. This will
authenticate the owner of that token for the API requests.
Tokens cannot be used to authenticate through the website.
For now, tokens must be created through the admin UI. Further changes
are coming to make the usage of tokens more practical.