Improve CORS compatibility and allow JSON body for user auth

[retro486]

Add tornado-cors to shim in better CORS compliance (namely responding to the empty OPTIONS request) and allow user auth data to be POSTed as JSON data in the body. Also add a try-catch in BaseHandler for when failure_reason isn't defined.

Also remove Access-Control-Allow-Origin header since the CorsMixin handles that now.

[KillingJacky]

Thank you very much for your pull, Russ.