* APIs for login and register
* return 403 instead of 423 if account is locked
* add login API route to ratelimiter
* APILogin remove browser token gen & return, give API token instead
* generalize login logic
* remove transient user handling
* remove APIRegisterChallenge due to unnecessary
* remove honeypot from APIRegister
* APIRegister remove browser token gen & return, give API token instead
* add register API route to ratelimiter
* add missing API godoc
* Clean up app.Login error handling
* Fix rate-limit errors for API routes
* Deduplicate APICreateUser and APIRegister
* Rate-limit all non-admin unsafe API requests
* APILogin test
* Make SetIsLocked write to the tx
* Add CORSAllowOrigins option
* Assert SetIsLocked without err variable
* Fix and test API rate limiting
---------
Co-authored-by: Evan Goode <mail@evangoo.de>
Adds the `AllowTextureFromURL` config option and makes it false by
default. Admins can still set skins and capes by URL, via the front end
or the API, regardless of this setting. Allowing users to specify
textures via URL is a possible security concern and doesn't really
improve the UX that much, so we should make it opt-in.
For https://github.com/unmojang/drasl/issues/116.
Also update supportedSystems to include darwin
• Updated input 'nixpkgs':
'github:NixOS/nixpkgs/9d29cd266cebf80234c98dd0b87256b6be0af44e' (2024-05-25)
→ 'github:NixOS/nixpkgs/2768c7d042a37de65bb1b5b3268fc987e534c49d' (2024-10-23)
- Don't animate if WebGL fails on failIfMajorPerformanceCaveat (if
browser is using a software renderer)
- Remove array access
- Reduce texture lookups from 16 to 8
