Various clean-ups from Stef's feedback

• Update documentation (missed in last commit)
• Return 408 for timeouts
• Return authorization with token when logging in
• Change logout to use the token from the header, not from the body.
• Fix null subscript error when token is empty
• Remove restriction on authorization being RO/RW