This changeset includes changes to the auth functions to allow us to
create an auth that will selectively restrict incoming methods. In the
future we can use this to integrate authorisation into our
applications.
For now we use this to allow the creation of users, in addition to
reading and looking up users.

The motivations for this change is to set the token correctly on the
request context, allowing us to use this in RPC calls that require
knowledge about who is making the call.