Support bearer authentication

[fluffy-critter]

Pushl should be able to support private webmentions by supporting AutoAuth or some other bearer token mechanism.

[fluffy-critter]

For the actual implementation it probably makes the most sense to be able to provide a bearer token, and have a separate helper app that can fetch one. (Which is also nice for my use case because it's trivial for me to just generate a bearer token locally instead of having to go through my IndieAuth endpoint.)

[fluffy-critter]

Some thoughts on this: maybe add a --bearer parameter which specifies a script to call. When pushl gets a WWW-Authenticate header in a response, it does token_endpoint discovery (via <link> tag and/or Link: header) and calls the script with e.g.

bearerScript attemptedUrl scope endpoint

where scope and/or endpoint could be empty strings. Then the script can return status 0 and a bearer token to use, or status non-zero and an error message to propagate to the user. If the script provides a token, Pushl retries the content retrieval with it. Pushl should also cache the token on a per-domain basis, and provide that in the initial request.