Wrap wraps an http.Handler with an AuthFunc. Requests that fail auth
get a 401. Requests with ?token= in the query string are redirected
to strip the token after the cookie is set.
TokenAuth returns an AuthFunc that validates requests using a token.
On first visit with ?token=... in the URL, sets a cookie. Subsequent
requests are authenticated via the cookie.