Fix handling of preflight requests

Pre-flighted OPTIONS requests do not include authentication information,
which means that we should not expect these to be authenticated.
Authentication will be validated when the real PUT/POST etc request is
issued after the preflight.

notebook/base/handlers.py

@@ -387,7 +387,6 @@ class APIHandler(IPythonHandler):
         self.set_header('Content-Type', 'application/json')
         return super(APIHandler, self).finish(*args, **kwargs)
 
-    @web.authenticated
     def options(self, *args, **kwargs):
         self.set_header('Access-Control-Allow-Headers', 'accept, content-type')
         self.set_header('Access-Control-Allow-Methods',