Require Authorization header for broadcaster

As opposed to just the broadcaster token. This makes the broadcaster
username/password login mandatory, which previously was only mandatory
in the `auth_required` wrapper, but not elsewhere (so for example
leaving comments as the broadcaster was possible with the token only). A
less safe alternative to this would be to compare tokens in `check_auth`
once the Authorization header didn't match.

anonstream/routes/wrappers.py

@@ -2,6 +2,7 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 import hashlib
+import hmac
 import re
 import string
 import time
@@ -79,6 +80,8 @@ def with_user_from(context):
                     or context.cookies.get('token')
                     or generate_token()
                 )
+                if hmac.compare_digest(token, CONFIG['AUTH_TOKEN']):
+                    raise abort(401)
 
             # Reject invalid tokens
             if not RE_TOKEN.fullmatch(token):