Potential privilege escalation for apps with authenticate_users permission

[Artemis21]

An app with the authenticate_users permission can also use the permissions of any user, even if they are greater than the app's own, by authenticating as that user. Is this an issue? Or do we just treat authenticate_users as a "superuser" permission?

[Artemis21]

A fix for this, if it needs fixing, could mean associating sessions with the app that created them, which is not necessarily a bad thing. (The alternative would be to have per-scope permissions, which would allow having scopes more limited that of either the app or the user's permissions, which would be good for security, but might also get messy)