Updating User auth from talk today; see the TODOs for considerations

[jad-b]

Didn't make it all the way through, but I wanted to lay out the bigger ideas

• UserAuth username, user metadata, and all auth-related work
• UserPII holds all sensitive information that directly relates to a real person
• sessions.go is gone; auth tokens basically represent sessions

I think UserAuth could stand to be split into UserMeta, but I don't really care right now. What probably makes the most sense is whatever the most-common use-case for DB lookups will be (minimizing JOINs, etc.)

[jad-b]

Opened this against jad-b/torque#basic-auth; going to re-open against master.