handle Authenticate{Get,Post}{In,Out}box methods

[Sigafoos]

These are called when retrieving or adding to a user's inbox and outbox.

• AuthenticatePostInbox: any valid user? someone is sending you a message
• AuthenticateGetInbox: user must own the inbox (getting your home feed)
• AuthenticatePostOutbox: user must own the outbox (sending a new message)
• AuthenticateGetOutbox: any valid user? getting your timeline.

Check the Authentication header. go-fed handles this with HTTP Signatures, so we should support that. JWTs wouldn't be too hard either (so you could use what we have set for the front end). Not sure about other schemes. We should see what Mastodon uses (so that Masto users can like, reply to, etc posts)