auth: track API key used for authentication in AuthUser This allows us to define only once how an API key is passed to the app. We might e.g. allow API keys to be passed in an HTTP header; with this change, we only need to update the code in one place. Also change the code to verify up front that the API key resolved to a valid and active user, so LoginRequired doesn't need to do that. Also return plain 403 Forbidden for bad API keys instead of redirecting to the login form, which makes more sense for non-interactive clients (the typical users of API keys).