api keys: require reauthentication when working with API keys.

Require the user to re-enter their password before they can view,
create, update, or delete their API keys.

This works by tracking the timestamp of the user's last password
re-entry in a `last_authenticated_at` session cookie, and redirecting
the user to a password confirmation page if they haven't re-entered
their password in the last hour.

This is modeled after Github's Sudo mode.

app/views/sessions/confirm_password.html.erb

@@ -0,0 +1,17 @@
+<% page_title "Confirm password" %>
+<%= render "secondary_links" %>
+
+<div id="c-sessions">
+  <div id="a-confirm-password">
+    <h1>Confirm password</h1>
+
+    <p>You must re-enter your password to continue.</p>
+
+    <%= simple_form_for(:session, url: session_path) do |f| %>
+      <%= f.input :url, as: :hidden, input_html: { value: params[:url] } %>
+      <%= f.input :name, as: :hidden, input_html: { value: CurrentUser.user.name } %>
+      <%= f.input :password, hint: link_to("Forgot password?", password_reset_path), input_html: { autocomplete: "password" } %>
+      <%= f.submit "Continue" %>
+    <% end %>
+  </div>
+</div>