api keys: require reauthentication when working with API keys.

Require the user to re-enter their password before they can view,
create, update, or delete their API keys.

This works by tracking the timestamp of the user's last password
re-entry in a `last_authenticated_at` session cookie, and redirecting
the user to a password confirmation page if they haven't re-entered
their password in the last hour.

This is modeled after Github's Sudo mode.

app/controllers/api_keys_controller.rb

@@ -1,4 +1,5 @@
 class ApiKeysController < ApplicationController
+  before_action :requires_reauthentication
   respond_to :html, :json, :xml
 
   def new

app/controllers/application_controller.rb

@@ -189,6 +189,15 @@ class ApplicationController < ActionController::Base
     params.fetch(PolicyFinder.new(record).param_key, {})
   end
 
+  def requires_reauthentication
+    return if CurrentUser.user.is_anonymous?
+
+    last_authenticated_at = session[:last_authenticated_at]
+    if last_authenticated_at.blank? || Time.parse(last_authenticated_at) < 60.minutes.ago
+      redirect_to confirm_password_session_path(url: request.fullpath)
+    end
+  end
+
   # Remove blank `search` params from the url.
   #
   # /tags?search[name]=touhou&search[category]=&search[order]=

app/controllers/sessions_controller.rb

@@ -6,6 +6,9 @@ class SessionsController < ApplicationController
     @user = User.new
   end
 
+  def confirm_password
+  end
+
   def create
     name, password, url = params.fetch(:session, params).slice(:name, :password, :url).values
     user = SessionLoader.new(request).login(name, password)