auth rework

[milesstoetzner]

primary goal is to add persistent auth session and consent prompting to the oauth flows without touching too much internals ...

major changes ...

• persistent cookie-based auth session
• no reauth on new oauth flow if already logged in
• prompt consent screen (skipped for internal clients or if already consented)
• unlink account
• accounts page
• access token and refresh token only in memory (javascript only, not stored in localstorage)
• update gropius frontend (update to auth rework gropius-frontend#5)
• logout session
• logout everywhere
• linking additional account is no longer an oauth flow between the frontend and backend (ofcs there is still one between gropius and external auth server)
• debug page
• migrate from middlewares to services
• ActiveLogin is split into ActiveLogin (for data) and ActiveLoginAccess (for refresh tokens)
• renamed GROPIUS_REGISTRATION_EXPIRATION_TIME_MS to GROPIUS_FLOW_EXPIRATION_TIME_MS
• renamed GROPIUS_REGULAR_LOGINS_INACTIVE_EXPIRATION_TIME_MS to GROPIUS_ACTIVE_LOGIN_EXPIRATION_TIME_MS (and dropped the "0 means no expiration logic")
• added GROPIUS_ACTIVE_LOGIN_MAX_EXPIRATION_TIME_MS
• renamed GROPIUS_OAUTH_CODE_EXPIRATION_TIME_MS to GROPIUS_AUTHORIZATION_CODE_EXPIRATION_TIME_MS
• added GROPIUS_REFRESH_TOKEN_EXPIRATION_TIME_MS
• added GROPIUS_LOGIN_TRUST_PROXY, GROPIUS_LOGIN_SESSION_SECRET, and GROPIUS_LOGIN_COOKIE_SECURE
• cleanup concept of expiration of entities
• session-bound CSRF protection
• flow-bound CSRF protection
• track and check flow state between redirects
• error handling using decorators
• update deployment (https://github.com/ccims/gropius)
• update docs (https://github.com/ccims/gropius)

working flows ...

• registration using userlocal-pass
• login using userlocal-pass
• registration using github
• login using github
• linking additional github account

however ...

• cleanup
• test functional
• test under https (coz cookie)
• error redirects

future ...

• enable tsconfig strictNullChecks
• migrate from services to proper workflows
• consent before linking accounts
• proper use of ConfigService
• completely migrate to zod or joi instead of custom input validators, zod, and joi
• proper guards at {gropius login frontend}/auth/flow/{login,register,register-additional,prompt} to prevent broken flows
• proper use of ODIC for authenticating a user at a gropius client
• doc decorator for CSRF protection
• doc decorator for required cookie
• propert state machine/ workflow model