api keys: require reauthentication when working with API keys.

Require the user to re-enter their password before they can view,
create, update, or delete their API keys.

This works by tracking the timestamp of the user's last password
re-entry in a `last_authenticated_at` session cookie, and redirecting
the user to a password confirmation page if they haven't re-entered
their password in the last hour.

This is modeled after Github's Sudo mode.

app/controllers/api_keys_controller.rb

@@ -1,4 +1,5 @@
 class ApiKeysController < ApplicationController
+  before_action :requires_reauthentication
   respond_to :html, :json, :xml
 
   def new