Decouple file serving from `internal/auth/` package

The following discussion from !263 (merged) should be addressed:

• @krasio started a discussion: (+2 comments)

  So with this changes the responsibility to return 404 is now with the caller of CheckAuthentication, correct?

---

Currently the internal/auth/ package takes an http.ResponseWriter and an http.Request while deciding if a resource is accessible or not when access control is enabled. This gives the responsibility of serving content to that package.

We should refactor internal/auth/ so that serving files responsibility belongs to whatever package needs to call this auth package. Additionally, the package should handle errors gracefully instead of returning boolean values.