Specify scope in requires_login decorator

[jace]

Flask-Lastuser's old resource decorator is clunky and has never been used in production. The before_request handler, however, has recently acquired the ability to parse an access token like a session cookie and load the linked user.

This mechanism should extend to requires_login and requires_permission, both of which should:

1. [ ] Accept a scope parameter;
2. [ ] Register the view as a resource; and
3. [ ] Enforce a check when the user has arrived via an access token.

[jace]

So we have a few complications:

1. Flask-Lastuser's before_request now calls token_auth asking it to check for a valid token for resource *
2. Since the access token doesn't itself contain a scope, and in before_request we don't yet know which endpoint is going to be called or what resource scope is required, we have no option but to check for *
3. The actual check is done in Lastuser's token/verify endpoint, which returns True/False for the given token and resource name.
4. Even if we knew which resource was being called in this request, we'd have to hit Lastuser each time to confirm the token is valid for that resource as well.

Instead, Lastuser should provide a token/get_scope endpoint that returns all the resources this token provides access to, and let the client app (a) cache this single assertion instead of a separate assertion per request, and (b) confirm it's valid when the actual view is called.

[iambibhas]

@jace can you elaborate this part a little -

Register the view as a resource

[jace]

It means they have to do the same thing as the resource_handler decorator.