/login needs to return an auth token.

The auth token can be passed in on subsequent requests and will be checked to be a valid user.

This needs to be checked on any data creation and any sensitive data.

All POST, PATCH, DELETE and PUT requests need to be wrapped in this check.

Closing as a duplicate of #11 .