adds a temporary auth method to users which does not require a password
or similar. This is just for testing right now and assumes a self-hosted
no-threats environment.
Also adds a user_key state to keep track of authed users. These
currently *DO NOT EXPIRE* which is pretty bad haha. The entire auth
system will be redone.
