Add built-in authentication support

[aaronpk]

In order to support basic installs, traditional username/password login should be supported. Otherwise it takes a lot of additional work to configure alternative authentication mechanisms.

[aaronpk]

There's a lot of implications here that we'll need to think through, primarily around how to handle password resets.

There's no good automatic way to be able to send password reset emails. The easiest option is to cross our fingers and hope that the machine it's installed on has the ability to send mail itself, although that's going to bump up against deliverability issues very quick.

It'd be better to use a service like Mailgun, but that then requires sending them off to go get API keys there.

[aaronpk]

Good things come to those who wait! I was able to add support for passkeys to avoid any password reset stuff. Technically there's still no recovery flow if you lose the passkey other than deleting the user from the database, but it is (theoretically) harder to lose a passkey than a password, so I'm ok with that.

For now, if you choose passkeys in the setup, when you log in it will first ask you to create the admin user account. There is no registration flow for other users in this mode, so it's effectively a single-user website when passkeys are enabled. Creating a signup flow with policies on who can register is a larger project, and might be better off using github/oidc/vouch at that point instead.