Better system for logging in/session management.

[brettatoms]

Right now "logging in" basically means that a successful response is returned when a request is made with an Authorization header. In the web app we login in by retrieving and storing the user JSON record in the sessionStorage and sending the user/pwd in each successive request. We need a better system that:

1. Removes all locks held by the user. (when we implement editing locks)
2. Returns a session token so we don't have to store the user/pwd in the browser, that has an expiration date,
3. Supports a /logout that revokes the session token.
4. Creates an auth history table that stores session tokens and keeps a history of user logins and logouts.

If we could drop in an OAuth or OAuth2 implementation that would be best.