Some errors (validation) have structured contents, not just an error
string, so we return them JSON-encoded along with a HTTP error 400.

Previously we were returning error 500 when we should have returned a 400.

If the user has no encryption keys, we'll initialize them on password
changes. This feature is controlled by a configuration parameter.

Still poor validation, but at least not wrong.

Still poor validation, but at least not wrong.

Simpler interfaces

See merge request !2

Referring to the account is clearer. Also add account recovery
integration tests, and a test fixture with encryption keys.

Structure flow around requests themselves and composition rather than
handlers and wrappers, the results are likely more readable (and
shorter).

Move all the user auth management business logic to a smart RawUser
object, to separate it from details of API handling. The result should
be more understandable: all critical changes are contained within a
single type.

Also, with all the workflow driven by Requests, we can get rid of the
boilerplate in the HTTP API server and replace it with a tiny tiny
layer of reflection.

Forgot to initialize the wrapped u2f.Registration.

Establish a standardized serialization format for u2f registration
keys: base64-encoded raw registration data, encoded as a JSON
string. This format decodes transparently to a Go []byte slice, but it
needs explicit base64 decoding in Python.

Previously it was deleting aliases instead of adding them.

The type is already encoded in the resource ID, but this is handy for
API clients so that they do not need to parse resource IDs.

Make it possible for the sso-server to fetch the recovery hint using
the same API.

It makes more sense to have this directly on the User object.

Adds UIDs to users, websites, DAV accounts.

Assign a random UID to newly created users, and ensure that all
associated resources have the same UID as well.