Pass credentials to etherpad if it requires them.

[markmacgillivray]

As pass-through of etherpad requests through the app API is complex, instead could just lockdown the etherpad service, and have the app send the required auth. Then pads could not be read directly without a login to the pads service, and so could also only be created via the app itself, thus securing pad content. But note, when a page is chosen for editing, we either have to pass through the auth of the logged in user or be able to set the pad itself at the etherpad end to public, as they are simply embedded. So, check if it is possible to set individual pads to public or private via the API