Allow protecting the 'bw serve' endpoint with an Authorization Header

Currently the bw serve command defaults to only listening on localhost which is already a good thing.
But still, all applications on the system would be able to access the Passwords without any authentication. That is fine, when bw serve is just run a short time, but for usecases where you want to run it for a longer time, it just does not feel right.

An easy fix for it would be an (optional) parameter on the command to require an Authorization Header. The parameter could accept a token that is checked or if not specified, defaults to the BW_SESSION key that already exists.

To access the API, you would then have to use it like this: curl -H "Authorization: Bearer $BW_SESSION" http://localhost:8087/list/object/items

This would improve the security a lot while keeping it simple.

What do you think?