Resolves https://github.com/unmojang/drasl/issues/39
* Use __Host- cookie prefix instead of setting Domain
See https://stackoverflow.com/a/64735551
* Unlinking OIDC accounts
* AllowPasswordLogin, OIDC docs, cleanup
* YggdrasilError
* Migrate existing password users without login
* API query/create/delete user OIDC identities
* test APICreateOIDCIdentity
* test APIDeleteeOIDCIdentity
* API Create users with OIDC identities
* OIDC: PKCE
* Use YggdrasilError in authlib-injector routes
* OIDC: AllowChoosingPlayerName
* recipes.md: Update for OIDC and deprecated config options
* OIDC: fix APICreateUser without password, validate oidcIdentities
* OIDC: error at complete-registration if no preferred player name
* Proper error pages
* MC_ prefix for Minecraft Tokens
* APIs for login and register
* return 403 instead of 423 if account is locked
* add login API route to ratelimiter
* APILogin remove browser token gen & return, give API token instead
* generalize login logic
* remove transient user handling
* remove APIRegisterChallenge due to unnecessary
* remove honeypot from APIRegister
* APIRegister remove browser token gen & return, give API token instead
* add register API route to ratelimiter
* add missing API godoc
* Clean up app.Login error handling
* Fix rate-limit errors for API routes
* Deduplicate APICreateUser and APIRegister
* Rate-limit all non-admin unsafe API requests
* APILogin test
* Make SetIsLocked write to the tx
* Add CORSAllowOrigins option
* Assert SetIsLocked without err variable
* Fix and test API rate limiting
---------
Co-authored-by: Evan Goode <mail@evangoo.de>
The authlib-injector spec only requires /profiles/minecraft to be
implemented, not necessarily /users/profiles/minecraft/:playerName, so
the /profiles/minecraft at least should query fallback API servers at
/profiles/minecraft.
Also fixes potential DoS by introducing a limit of 10 players per
request (also which prevents fallback API servers from being spammed)
