Authentication next steps

[Frando]

What we still need to do:

• client: don't store tokens/accesscode in localStorage, use secure cookies instead
• server: allow to create tokens with read/write capabilities for specific collections
• client: support multiple tokens/accesscodes
• rethink token vs accesscode model, review where we want/need JWTs
• add one-time login links for use in short URLs, remove accesscodes
• maybe add sessions (after login) with plain old session cookies (less overhead than JWTs in all requests)
• add UI to manage tokens
• rethink if/how we want to derive tokens/JWT from hypercore keys