Anonymous web service requests should go through the same validation process as nymous requests

My fix to bug 385517 shouldn't take long to implement but it will have two warts that need to be improved.

1. It short-circuits the normal token verification code, so won't be verifying the signature or nonce of the incoming request. This is not a big deal because there's no signature to speak of and a replay attack can't cause any real damage. But it would be nicer to run the same code in all circumstances.

2. More seriously, we have no way of throttling anonymous access, because our throttle techniques rely on access key, consumer, or the combination of the two. If Launchpad kept track of an access key for a consumer's anonymous access, we could use our normal throttle techniques.

My original solution avoids both these warts. When the first anonymous request for a given consumer comes in, we automatically create a request token for that consumer, review it (on the authority of the anonymous user), and exchange it for an access token. That access token is used for this request and all of that consumer's subsequent anonymous requests, and it can be throttled like any other token.

The problem with my original solution is that there's no way to give the anonymous user a request token. This would require that the OAuthToken.person field be null, which is not allowed. Fixing this properly requires a database patch, which is a Big Deal, so I'm fixing most of the problem and filing a bug for the rest.