Document availability of request.auth.token in verifyFunc()

[jmm]

request.auth.token is set by the time verifyFunc() is invoked. Can that be documented? Current documentation only refers to it as being available after validation.

[nelsonic]

Well spotted @jmm (again!) Documentation update?

[jmm]

Thanks! This...

The encoded JWT (token) is extracted from the headers of the request

...and all similar references should just say something to the effect of "extracted from the request", since additional token sources (cookie, URL) were added. (Technically reading it from a cookie is still extracting it from the headers, but for the purposes of these docs I think it's more helpful to treat headers and cookies as fundamentally different places to read the token from.) Same with references to the Authorization header, since the header to read from is configurable. I opened #190 for that.