Due to https://github.com/BurntSushi/toml/issues/169, we can't simply
use IsDefined to check whether a user supplied a config value in an
array of tables, as in:
[[FallbackAPIServers]]
CacheTTLSeconds = 123
We can work around this by using *T instead of T in the config
file schema. If the TOML key is not set, it will be parsed as nil.
authlib-injector specifies POST /profiles/minecraft as the only
available route for player name -> UUID, so we have to use it if we want
to support authlib-injector-compatible fallback API servers.
Resolves https://github.com/unmojang/drasl/issues/39
* Use __Host- cookie prefix instead of setting Domain
See https://stackoverflow.com/a/64735551
* Unlinking OIDC accounts
* AllowPasswordLogin, OIDC docs, cleanup
* YggdrasilError
* Migrate existing password users without login
* API query/create/delete user OIDC identities
* test APICreateOIDCIdentity
* test APIDeleteeOIDCIdentity
* API Create users with OIDC identities
* OIDC: PKCE
* Use YggdrasilError in authlib-injector routes
* OIDC: AllowChoosingPlayerName
* recipes.md: Update for OIDC and deprecated config options
* OIDC: fix APICreateUser without password, validate oidcIdentities
* OIDC: error at complete-registration if no preferred player name
* Proper error pages
* MC_ prefix for Minecraft Tokens
* Initial support for Authlib-Injector Upload API
- Support for HMCL
* Added Skin endpoint
* Support for capes
* Support for DELETE
* Explicitly route authlib-injector URLs, don't rewrite
* Test authlib-injector texture upload/delete
---------
Co-authored-by: Evan Goode <mail@evangoo.de>
* APIs for login and register
* return 403 instead of 423 if account is locked
* add login API route to ratelimiter
* APILogin remove browser token gen & return, give API token instead
* generalize login logic
* remove transient user handling
* remove APIRegisterChallenge due to unnecessary
* remove honeypot from APIRegister
* APIRegister remove browser token gen & return, give API token instead
* add register API route to ratelimiter
* add missing API godoc
* Clean up app.Login error handling
* Fix rate-limit errors for API routes
* Deduplicate APICreateUser and APIRegister
* Rate-limit all non-admin unsafe API requests
* APILogin test
* Make SetIsLocked write to the tx
* Add CORSAllowOrigins option
* Assert SetIsLocked without err variable
* Fix and test API rate limiting
---------
Co-authored-by: Evan Goode <mail@evangoo.de>
