Refactor the login handler

The login handler is now a simpler, standalone http.Handler wrapper. The separation between the SSO application and the login handler is now fairly complete.

The login handler no longer forces the user to a specific workflow via session cookies, but it works on a request-by-request basis instead, which makes the "back" button works as expected (allowing the user to bail out of a broken 2FA process, for example).

Session handling has been simplified as well: there is a single session for authentication and login state, which should remove the opportunity for session synchronization errors.

proxy/proxy.go

@@ -19,6 +19,9 @@ import (
 	"git.autistici.org/id/go-sso/httpsso"
 )
 
+// TTL for SSO sessions on the proxy.
+var proxyAuthTTL = 1 * time.Hour
+
 // RNG for the random backend selector.
 var rnd = rand.New(rand.NewSource(time.Now().UnixNano()))
 
@@ -131,6 +134,7 @@ func NewProxy(config *Config) (http.Handler, error) {
 		config.SSODomain,
 		[]byte(config.SessionAuthKey),
 		[]byte(config.SessionEncKey),
+		proxyAuthTTL,
 	)
 	if err != nil {
 		return nil, err