users: refactor login and authentication logic.

* Make authentication methods into User instance methods instead of
  class methods.
* Fix API key authentication to use a secure string comparison. Fixes a
  hypothetical (unlikely to be exploitable) timing attack.
* Move login logic from SessionCreator to SessionLoader.

app/logical/user_deletion.rb

@@ -62,7 +62,7 @@ class UserDeletion
   end
 
   def validate
-    if !User.authenticate(user.name, password)
+    if !user.authenticate_password(password)
       raise ValidationError.new("Password is incorrect")
     end