Check passwords and recovery responses directly against backend data.

Still doesn't entirely solve the problem of encoding the U2F
registration requests on the client side (we should probably just
accept a bytestring), but all the important functionality is there.

Also set an initial user password, and random passwords for all its
resources, on a CreateUser request.

Rename queryConfig to queryTemplate to better reflect its purpose, and
drop all cruft that had to do with config deserialization.

Txn

See merge request !1

Simplifies the code in AccountService a bit, moving more logic into
the request types. The authentication and authorization bits have been
split into a separate authService type for clarity.

Let the server fill in default values for resource and user creation.

By adding a User to the resource validation context, we can implement
more complex checks like verifying that websites have an associated
DAV account, or that the parent resource of a database is actually a
website.

The validationContext contains all configuration and backends that are
relevant to the various validation functions.

Implement a password recovery endpoint, and a way to set the recovery
hints (in the current model, it's a hint/response system).

Verify that we can set and update storage encryption keys correctly.

Start a full HTTP server, backed by an in-memory LDAP server, and test
the API directly.