REMOTE_USER auth shouldn't trigger csrf rejects
Move all authentication fully to DRF. We were incorrectly configuring
webserver auth support in django and not DRF. This ports the setting
REMOTE_USER_ENVIRON_NAME to work with DRF instead of Django.
It adjusts the settings.py so there are removal claims even though this will likely go into a z-release. It's an important FYI for the user.