AuthUser does not properly set user as authenticated
I'm not sure if this is intentional or an oversight, so I wanted to file the bug anyway.
When attempting to authenticate a user with a userid or apikey, the AuthUser function doesn't set a user as authenticated if it successfully loaded. (And as an aside, when trying to auth by a username that does not exist, it is automatically created (not sure if this is intended or not either)).
Patch attached if this is indeed a bug...