Implement logout call

[rubendel]

Currently an HMAC is used to create the token. This works great in the sense that we can validate tokens without accessing the database, we don't need to store the tokens in memory and even after restarting a server the tokens are still valid. Also if BIMserver at some point becomes a distributed system, this would alleviate the need for distributed "session management".

But, currently this also means that the AuthInterface.logout call doesn't actually do anything. To allow for logout to work, we do need to keep track of tokens that have been invalidated. Since most people/systems never logout, one could argue that this is still a good trade-off.

So what should be done:

• Implement AuthInterface.logout, store the token in the database linked to the User, also store in memory. Also remove the tokens from the cached tokens collection (which is a performance optimization to reduce the amount of cpu spent on cryptography).
• During startup, load all invalidated tokens into memory, so we don't have to access the database in order to determine whether a token is invalidated. This memory structure should be based on the username, so the lookups are manageable.
• Schedule a process that cleans up invalidated tokens. Since tokens have a limited lifetime, they can be removed from the in-memory structure and database once they do.

Before doing this, it might be useful to reevaluate the use of HMACs, wouldn't simply storing the valid tokens in a database be easier, possibly cached in memory?