Provide proper first-party oauth server by API

[opatut]

I am following RFC8252 and security-topics to suggest and implement a change in the authorization schemes for improved security across the whole portal system. The design goal is to follow the above specs to reduce the attack surface on the web application (frontend) by using standardized, documented and well-known best practices.

This involves the following steps:

• Cookie (http-only) based sessions for transaction management
• Implement authorization code flow
• Minimal HTML rendering for login
• Small CSS style and frame layout to make it look first-party
• Add support for (and enforce the use of) PKCE
• Registration form
• Password reset
• Account email verification pages
• Move new react frontend to auth code flow
• Harden react flow with PKCE, according to {RFC8252]

Afterwards, these topics will await us

• Review spec conformity Review new authentication mechanisms #63
• Move config-server from copy-paste of tokens to auth code flow w/ PKCE (in browser) Implement new OAuth flow OpenBikeSensorFirmware#241
• Remove OBSUserId authentication scheme, see Stop using the user ID as a authorization token #28

I know this sounds like a lot but I think it is manageable and it will let me sleep better at night ;)

Yes, this removes some features (login & registration forms, email verification) from the frontend code and moves it to the server, but it would have to be reimplemented anyway in React, and this way it's actually easier to build, extend, and control. Plus it's frontend independent, so it will integrate with any other app that somebody might build in the future (e.g. native apps etc). I think it's a good thing.

[opatut]

I've created new tickets for the remaining tasks, so this can be closed.