Stepping stone towards #364, as it implements only the last part (i.e. authentication).

While working on this feature, I have also fixed a bug in the current implementation of ThrowAll (formerly named throwAll'): the previous implementation was not sufficiently lazy, and was executing the handler action before eventually throwing the err401 for Unauthorized access, which was problematic as it might have lead to users temporarily modifying the DB even though they had no access (which would be discovered after the modification had been done).

The tests I have added will also serve as a regression for the current implementation of throwAllRoutes, which is now sound.