Refactor server session handling

[infinisil]

This cleans up the "session" handling, as explained in issue #38:

• The database gets a new auth_tokens table, which records which user is logged in with authentication tokens. The tokens are set as a client cookie when authentication succeeds, which is then subsequently checked against the database for any operations requiring authentication
  • This has the main effect for the demo that restarting the server won't log out every user.
• A new module PendingOps is introduced, which implements an efficient way to store the options (including the challenge) of pending webauthn operations (registering and login) temporarily in memory until they are completed or expire.
  • In order to make this efficient, the expiration time is stored in the challenge directly
  • This has the effect that no memory is leaked anymore, and it simplified things
• A refactoring was done to both speed up login operations (removing a linear-time find) and remove the need to store the user handle in memory for a pending login operation.
  • This makes pending operations for registering and login work exactly the same, allowing more code reuse

Writing this new PendingOps module for the server also made it clear that this could also be provided by the library directly, since it's a very reusable part.

[infinisil]

Squashed some related commits together, will merge after CI passes