Implement cryptographically-correct pass validation in the server-side part

The client presents passes along with a number of API operations now. For allocate_buckets, the server should validate the passes and deny the operation if the passes are invalid or presented in insufficient quantity.