Better authorization/authentication options

A new improved auth section is added. Here is a summary of the changes:

• You can require authentication by setting auth.require_authentication=True (default=False) (the old setting in oasis.require_authentication is moved here, remains backwards compatible.) If this is true, no one can access any of the API or the GUI without first logging in successfully.
• You can reject unauthorized users by setting auth.reject_unauthorized_users = True (default=True). If this is true, you have to be a part of auth.authorized_users to be able to do anything with the API.
• If auth.require_authentication=False, you can control to which API scopes the non-authenticated users have access to by using auth.unauthenticated_user_scopes. Defaults to a setting that allows them to read any data (they still can't obviously read data where specific user authorization is required).
• If auth.reject_unauthorized_users=False, you can control to which API scopes the non-authorized users have access to by using auth.unauthorized_user_scopes. Defaults to a setting that allows them to read any data (they still can't obviously read data where specific user authorization is required).