Decouple JupyterHub `tornado`-specific authentication framework from `BaseRequest`

[flongford]

In order to handle breaking changes in the way that JupyterHub 0.8.x authenticates with spawned servers (see #596), we have made use of the jupyterhub.services.auth.HubAuthenticated mixin to support using JupyterHub as an OAuth provider.

This is a relatively stable API, that is currently supported by the latest version of JupyterHub (2.3.0 at time of writing): https://jupyterhub.readthedocs.io/en/2.3.0/api/services.auth.html

However, this mixin class was only designed to work directly with tornado.web.RequestHandler classes via the tornado.web.authenticated decorator. Therefore it doesn't play nicely with tornadowebapi, since these classes are hidden away inside the Registry object and the authentication itself is outsourced to the tornadowebapi.authenticator.Authenticator class.

Consequently, in order to support both frameworks, our current authentication pathway is a bit of a mess...

Ideally we should find some way to place all the authentication logic into one place, either the HubAuthenticator or a combined RequestHandler used both by tornado and tornadowebapi components.