schmartyi would actually like lasso to check whether a user is authorized, but i don't grok how it allows you to specify authorization. there's something about encoding "grants" into the JWT it uses for the identifying cookie, but i am a little lost.
