auth: move CSRF checks from the optional LoginRequired to the more basic BaseController._before _before is not called for the CSRF-immune JSON-API controller and is thus a good place to check CSRF. This also apply CSRF protection to the login controller. The flag for needing CSRF checking is stored in the thread global request object when passed from __call__ to _before for regular controllers. It is thus also set for requests to the JSON-RPC controller, but not used.

# requirements.txt file for use as "pip install -r requirements.txt" as a
# readthedocs compatible alternative to "pip install -e ." which is a working
# alternative to "setup.py develop" which doesn't work with Mercurial 3.7
.