users: refactor login and authentication logic.

* Make authentication methods into User instance methods instead of
  class methods.
* Fix API key authentication to use a secure string comparison. Fixes a
  hypothetical (unlikely to be exploitable) timing attack.
* Move login logic from SessionCreator to SessionLoader.

test/unit/user_deletion_test.rb

@@ -43,7 +43,7 @@ class UserDeletionTest < ActiveSupport::TestCase
 
     should "reset the password" do
       @deletion.delete!
-      assert_nil(User.authenticate(@user.name, "password"))
+      assert_equal(false, @user.authenticate_password("password"))
     end
 
     should "remove any favorites" do