Refactor the login handler

The login handler is now a simpler, standalone http.Handler wrapper. The separation between the SSO application and the login handler is now fairly complete.

The login handler no longer forces the user to a specific workflow via session cookies, but it works on a request-by-request basis instead, which makes the "back" button works as expected (allowing the user to bail out of a broken 2FA process, for example).

Session handling has been simplified as well: there is a single session for authentication and login state, which should remove the opportunity for session synchronization errors.

server/scripts/sri.go

+// +build ignore
+
 package main
 
 import (
@@ -10,6 +12,7 @@ import (
 	"log"
 	"os"
 	"path/filepath"
+	"sort"
 	"strings"
 )
 
@@ -65,8 +68,14 @@ func codegen(w io.Writer, m map[string]string) {
 	io.WriteString(w, `
 var sriMap = map[string]string{
 `)
-	for k, v := range m {
-		fmt.Fprintf(w, "\t%q: %q,\n", k, v)
+	// Dump the map in sorted order.
+	var keys []string
+	for k := range m {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+	for _, k := range keys {
+		fmt.Fprintf(w, "\t%q: %q,\n", k, m[k])
 	}
 	io.WriteString(w, "}\n")
 }