pass a dispatch object to validateToken so it can update roles, without exposing anything else.
add that param in actions that respond to the dispatcher (and default to nil).
add fields in client/index to check for a valid role and wipe otherwise (this'll force current users to log in again, but won't lock them out by looking for something that's not there).
okay!
the main changes here: