The current authentication system is a big pile of microwave spaghetti (not to be confused with delicious spaghetti) and should be cleaned up.
- Stop calling authentication tokens 'id'. For example, currently session['user_id'] is an authentication token.
- Stop putting secret information in the session. The aforementioned session['user_id'] is sent as-is to the web browser. This is like sending a password back and forth all the time.
- Have one module that handles authentication, and one place to store the authentication information once someone is logged in succesfully.
- Either accept a Authorization header or do a CSRF check, but don't do both.
- Create one way to load the user from the database in the authentication system. Currently a UserClass instance can be created empty with only an authentication token, or filled with information from the database. It's unclear which one is used in which situation.