Extracted API auth into guard

Also implemented more elegant solution to allowing session auth for API
routes; A new 'StartSessionIfCookieExists' middleware, which wraps the
default 'StartSession' middleware will run for API routes which only
sets up the session if a session cookie is found on the request. Also
decrypts only the session cookie.

Also cleaned some TokenController codeclimate warnings.

app/Http/Middleware/StartSessionIfCookieExists.php

@@ -0,0 +1,39 @@
+<?php
+
+namespace BookStack\Http\Middleware;
+
+use BookStack\Http\Request;
+use Closure;
+use Exception;
+use Illuminate\Session\Middleware\StartSession as Middleware;
+
+class StartSessionIfCookieExists extends Middleware
+{
+    /**
+     * Handle an incoming request.
+     */
+    public function handle($request, Closure $next)
+    {
+        $sessionCookieName = config('session.cookie');
+        if ($request->cookies->has($sessionCookieName)) {
+            $this->decryptSessionCookie($request, $sessionCookieName);
+            return parent::handle($request, $next);
+        }
+
+        return $next($request);
+    }
+
+    /**
+     * Attempt decryption of the session cookie.
+     */
+    protected function decryptSessionCookie(Request $request, string $sessionCookieName)
+    {
+        try {
+            $sessionCookie = $request->cookies->get($sessionCookieName);
+            $sessionCookie = decrypt($sessionCookie, false);
+            $request->cookies->set($sessionCookieName, $sessionCookie);
+        } catch (Exception $e) {
+            //
+        }
+    }
+}