Flag a session user for re-authentication without wiping the user data

[ngbrown]

Currently, if the User session value exists at all (using the sessionKey), the user considered authenticated.

It is a common case that a user might need to partially re-authenticate, either with an external OAuth provider or just re-enter their password. The user name could be pre-filled since they had been logged in previously.

Unless the user has purposely logged out, I think there should be a way to read the user data but still have the user in an "expired" state where they need to re-authenticate.

[clgeoio]

An additional use case for the OAuth scenario would be to request additional scopes permissions from a user account, such as requesting access to a user's Calendar after they have signed up.