Documentation on Auth of OPTIONS requests

[kolektiv]

As noted in #184 it's not intuitive that auth needs to be explicitly "bypassed" in logic for OPTIONS requests (at least for CORS). This should be documented and ideally sample code provided to make this obvious and easy.

[btrepp]

Is it possible to make the cors-machine bypass the auth?. The way it stands is there is two ways I see this being used.

1. The client is actually trying to do an OPTIONS call, eg to find out if it can say access the resource, I can see authorization being useful here
2. The client is checking CORS, auth is never allowed here.

To me these are two completely different actions (despite both occuring due to an OPTIONS request).
I don't know enough about CORS to know if the cors machine can correctly detect it is a cors request,
but how I imagine the flow would be

request -> is cors check? -> yes -> cors sections run, skips rest of machine and responds
request -> is cors check?-> no -> run freyahttpmachine as normal