Use user tokens to authenticate users

Currently when a user token is used, request.user is not set: let's set it.

Things to keep in mind

a logged in user persists in the session: if the user token is not presented anymore, and request.user is set from a previous user token, log the user out

If request.user is set to user A by a different backend, and the user token is set to user B:

Keep user A
Log in as user B (but once the user token disappears, the user will be logged out instead of restored user A)
Raise an authentication error

I'd go for 3, since user tokens are used by debusine-client and shouldn't intermix with other kinds of logins.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information