API authentication will use existing user and superuser authn if present
The upshot is that interactive users of the API won't have to use a token if they have an active session. If the user has logged into superuser scope, then they are allowed to pass through immediately. A user that is logged in, but not in superuser scope, will have their ability to become superuser checked; it that check passes, they are allowed; otherwise, they are unauthorized (i.e., this cannot be overridden by a token). If an authenticated user is not present, then we require a valid bearer token for a superuser-abled user as before.