server: Run API requests as authenticated user

[maxlang]

When the client makes an authenticated request, the server must run that request as that user; currently, all API requests are still run as the root user, regardless of the specific user that has been authenticated.

[mrtracy]

User information can now be attached to API calls via an HTTP cookie. This is not yet being enforced, but is implemented.

[mrtracy]

Closed the wrong bug, this one needs to get moved to 1.2.