Improved cookie based auth

[joepio]

Current implementation of cookie based auth #241 solves the most important issue (being able to view private images), but it still needs some improvements:

• [ ] #278
• [ ] Signed authentication should include expiration date. Otherwise, the signature / cookie can be re-used by malicious actors outside of the expiration date. https://github.com/atomicdata-dev/atomic-data-rust/issues/526
• [ ] Use cookie authentication for file uploads, so we can get rid of signing individual HTTP requests. Note that this currently works on same-origin situations, but not cross.

[rescribet]

Cross origin cookies can't be set from JavaScript by design (major security risico), from what I can see only subdomains are a possibility. Proxying images through your own server seems like an easy solution.

By far the simplest way to invalidate authentication is to set a minimum timestamp and reject everything earlier. Though just adding an expiration is more robust.