Advise frontend about HTTP methods allowed on each asset

IMPORTANT This pull request is best reviewed commit-wise and e978edd6 introduces settings changes which necessitate modifying the IAR deployment. Read the commit message for more details.

This PR takes the opportunity to do a bit of tidy-up on how we fetch and cache lookup responses for a user. We move from (ab)using the user's token to making use of a token for the backend itself which has the correct scopes. This matches the spirit of OAuth2 in that the entity requesting access to lookup is the backend (for the purpose of validating a user) not the user (for the purpose of getting information on themselves). It also has the advantage that we no longer have to do the lookup when the user's token is readily available in the authentication but can break it out into its own module. The commit message for e978edd6 covers this in more detail.

As e978edd6 provides another use of an OAuth2 token by the IAR, ec90a5fb hoists the current session management logic into a re-usable class which is used by the existing authorisation classes and the new lookup utility functions.

Issue #44 (closed) is addressed by 969c7b4c which re-uses the permissions checking on the views to determine if, in principle, a user is allowed to PUT, POST and DELETE an asset. This is reflected in a new "allowed_methods" field in the asset resource.

Closes #44 (closed)