avoid rogue 2fa code generations

When a wiki uses rewriting, non-existing files are mapped to doku.php
and interpreted as page names. When using a 2fa provider that transmits
codes (like email) this

avoid rogue 2fa code generations

When a wiki uses rewriting, non-existing files are mapped to doku.php
and interpreted as page names. When using a 2fa provider that transmits
codes (like email) this could lead to sending multiple codes out for
each of these bogus requests. This patch ensures that the 2fa form (and
code sending) is only triggered for document requests as indicated by
the sec-fetch-dest request header.

show more ...

protect password reset with 2fa

This needed some internal changes, because now 2fa data needs to be
checked for a user that is not logged in. Providers may need adjustments
if they access user data.

protect password reset with 2fa

This needed some internal changes, because now 2fa data needs to be
checked for a user that is not logged in. Providers may need adjustments
if they access user data. They should use the getUserData() method of
the abstract Provider class to do so.

show more ...

changed how provider setup works

This makes the interface a bit cleaner and less confusing

use action to register providers

manage optouts

fix cookie security

The cookie is now tied to the provider and cookie secret. This way it
can not be constructed without inside knowledge.

handle user default providers

initial login handling

use Manager singleton to check and load providers

first go a profile refactoring