users: refactor login and authentication logic.

* Make authentication methods into User instance methods instead of
  class methods.
* Fix API key authentication to use a secure string comparison. Fixes a
  hypothetical (unlikely to be exploitable) timing attack.
* Move login logic from SessionCreator to SessionLoader.

test/functional/users_controller_test.rb

@@ -118,7 +118,7 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
 
         assert_redirected_to User.last
         assert_equal("xxx", User.last.name)
-        assert_equal(User.last, User.authenticate("xxx", "xxxxx1"))
+        assert_equal(User.last, User.last.authenticate_password("xxxxx1"))
         assert_equal(nil, User.last.email_address)
         assert_no_enqueued_emails
       end
@@ -128,7 +128,7 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
 
         assert_redirected_to User.last
         assert_equal("xxx", User.last.name)
-        assert_equal(User.last, User.authenticate("xxx", "xxxxx1"))
+        assert_equal(User.last, User.last.authenticate_password("xxxxx1"))
         assert_equal("webmaster@danbooru.donmai.us", User.last.email_address.address)
         assert_enqueued_email_with UserMailer, :welcome_user, args: [User.last]
       end