Refactor the login handler

The login handler is now a simpler, standalone http.Handler wrapper. The separation between the SSO application and the login handler is now fairly complete.

The login handler no longer forces the user to a specific workflow via session cookies, but it works on a request-by-request basis instead, which makes the "back" button works as expected (allowing the user to bail out of a broken 2FA process, for example).

Session handling has been simplified as well: there is a single session for authentication and login state, which should remove the opportunity for session synchronization errors.

httputil/session_test.go

-package httputil
-
-import (
-	"encoding/gob"
-	"net/http"
-	"testing"
-	"time"
-
-	"github.com/gorilla/sessions"
-)
-
-type mySession struct {
-	Data string
-}
-
-func init() {
-	gob.Register(&mySession{})
-}
-
-func TestExpiringSession(t *testing.T) {
-	store := sessions.NewCookieStore()
-	req, _ := http.NewRequest("GET", "http://localhost/", nil)
-
-	httpsess, err := GetExpiringSession(req, store, "testkey", 60*time.Second)
-	if err != nil {
-		t.Errorf("store.Get error: %v", err)
-	}
-
-	if _, ok := httpsess.Values["mykey"].(*mySession); ok {
-		t.Fatal("got a session without any data")
-	}
-}