users log in and out

[robsdudeson]

closes #31

Summary

This adds the nuts and bolts for a simple API auth scheme. This leverages Users and Apps to create sessions that we can invalidate at anytime initially these tokens will live for a day, but we could change this later if we wanted. this does not deal with role based authorization, but this is foundational to that

TODO

• [ ] wrap up units
• [ ] add curl examples to get auth and query a protected route

[KimmestOfChis]

So far so good! Let me know when you want to integration test this bad boy. I can write some cypress scripts to go along with this PR