Don't use `req.body` to store parsed auth context

[slifty]

The shape of req.body is defined by an API caller which makes it a potentially dangerous place to store auth context since a user could construct a body that contains auth information.

If we (1) have auth logic looking at that object and then (2) somehow fail to sanitize the user input then someone could inject permissions they don't have.

The solution here is to use something that does not get written by express / is ONLY populated by our auth middleware, (e.g. req.auth).

A happy side effect of this is that it allows us to address #284 since we'll no longer have middleware that expects other-middleware-populated req state (specifically: req.body does not exist unless the express.json or bodyParser.json middleware has been run).

[slifty]

While expanding the PATCH endpoint for /records (#580) this came up -- I wanted to add a validator that would require at least one field being patched, but since the auth context is in the body I couldn't simply use joi's .min(1) function.