Improved current_auth and other fixes

[jace]

The request_has_auth helper function accompanying current_auth is meant to be used in an after_request processor to set a Vary: Cookie header if the request accessed current_auth in any way, implying that it is auth-sensitive. Unfortunately, since the current_auth proxy is included in the Jinja2 environment, this means any rendering of a template will invoke current_auth, even if the template does not need it.

This PR changes current_auth to only initialize itself when the actor or user properties are read, thereby removing the Jinja2 issue.

Potential problem: if a view or template does access current_auth, but in the very first access attempts to read another variable that was expected to be set by the login manager, it will not exist as the login manager will only be called when user or actor is accessed.

Potential fix: Implement __getattr__ to (a) call login_manager if no actor attr has been set, or (b) always raise AttributeError post-init. This will have the bonus upside of user and actor not being properties with duplicated code.