Cleanup authentication handling
With the recovery codes from pixelated we now got 5 different kinds of auth:
- default
- admin
- monitor
- api
- recovery
We are using very different mechanisms for these:
- default: session based on cookie
- admin: default plus config file
- monitor: default plus config file?
- api: token auth in http headers
- recovery: separate warden strategy and scope
Let's unify them and clean up the code that is spread out across app/controllers esp. the controller extensions.