Added proper authentication check:
- User tokens now correctly give access to their own /api/u/<username> endpoints
- Better error messages distinguish between missing auth and wrong user
- Global tokens still blocked from user endpoints
- User tokens still blocked from global endpoints