Local auth is weak

[Arqu]

Our auth implementation for a local qri node has very weak guarantees about the actual user engaging with the API. The token provider simply hands out tokens for any correct username, given that profile private and public key exist in the profile store. Given that, an external user with the correct key pair in the store could self generate keys and use the API as we neither vet the token beyond that, nor do we validate the issuer of the token or similar fields.

Related to https://github.com/qri-io/qri/issues/1811