Resolves https://github.com/unmojang/drasl/issues/39
* Use __Host- cookie prefix instead of setting Domain
See https://stackoverflow.com/a/64735551
* Unlinking OIDC accounts
* AllowPasswordLogin, OIDC docs, cleanup
* YggdrasilError
* Migrate existing password users without login
* API query/create/delete user OIDC identities
* test APICreateOIDCIdentity
* test APIDeleteeOIDCIdentity
* API Create users with OIDC identities
* OIDC: PKCE
* Use YggdrasilError in authlib-injector routes
* OIDC: AllowChoosingPlayerName
* recipes.md: Update for OIDC and deprecated config options
* OIDC: fix APICreateUser without password, validate oidcIdentities
* OIDC: error at complete-registration if no preferred player name
* Proper error pages
* MC_ prefix for Minecraft Tokens
* APIs for login and register
* return 403 instead of 423 if account is locked
* add login API route to ratelimiter
* APILogin remove browser token gen & return, give API token instead
* generalize login logic
* remove transient user handling
* remove APIRegisterChallenge due to unnecessary
* remove honeypot from APIRegister
* APIRegister remove browser token gen & return, give API token instead
* add register API route to ratelimiter
* add missing API godoc
* Clean up app.Login error handling
* Fix rate-limit errors for API routes
* Deduplicate APICreateUser and APIRegister
* Rate-limit all non-admin unsafe API requests
* APILogin test
* Make SetIsLocked write to the tx
* Add CORSAllowOrigins option
* Assert SetIsLocked without err variable
* Fix and test API rate limiting
---------
Co-authored-by: Evan Goode <mail@evangoo.de>
Adds the `AllowTextureFromURL` config option and makes it false by
default. Admins can still set skins and capes by URL, via the front end
or the API, regardless of this setting. Allowing users to specify
textures via URL is a possible security concern and doesn't really
improve the UX that much, so we should make it opt-in.
For https://github.com/unmojang/drasl/issues/116.
