Authentication next steps

[Frando]

What we still need to do:

• [ ] client: don't store tokens/accesscode in localStorage, use secure cookies instead
• [ ] server: allow to create tokens with read/write capabilities for specific collections
• [ ] client: support multiple tokens/accesscodes
• [ ] rethink token vs accesscode model, review where we want/need JWTs
• [ ] add one-time login links for use in short URLs, remove accesscodes
• [ ] maybe add sessions (after login) with plain old session cookies (less overhead than JWTs in all requests)
• [ ] add UI to manage tokens
• [ ] rethink if/how we want to derive tokens/JWT from hypercore keys