make serveKeepLocked check auth just to be safe

doc/design/p2p_protocol_over_http/draft1.mdwn

@@ -234,6 +234,9 @@ If the connection is closed before the client sends `{"unlock": true},
 or even if the web server gets shut down, the content will remain
 locked for 10 minutes from the time it was first locked.
 
+Note that the common parameters bypass and clientuuid, while
+accepted, have no effect.
+
 ### POST /git-annex/$uuid/v2/keeplocked
 
 Identical to v3.

doc/todo/git-annex_proxies.mdwn

@@ -32,9 +32,6 @@ Planned schedule of work:
 
 * A Locker should expire the lock on its own after 10 minutes initially.
 
-* serveKeepLocked should check auth just to be safe, although added
-  security is probably minimal.
-
 * Make Remote.Git use http client when remote.name.annex-url is configured.
 
 * Make http server support proxies and clusters.