Rework login / session / remember me.

[btimby]

The current iteration of authentication works like this.

• A user "registers" an account, which saves their profile information in localStorage. The user's password is not stored, but rather used to create a derived key that is used by tweetnacl to encrypt the user information before storage.
• Login accepts the password, derives a key, then fetches the encrypted user information using the username. If the derived key can successfully decrypt and authenticate the stored user information, the user is logged in.

This is fairly safe as the user information is inaccessible unless the password is given.

However, to avoid asking the user for a password each time the page loads (refresh) the user information is stored in sessionStorage. However, someone could easily fiddle with this information to use different accounts (on a shared machine), since the password is not necessary.

Further, the ipfs key information is stored in IndexedDB, and can also be altered.

I would like to make the following changes:

1. DO ask for a password whenever the application loads
2. DO NOT remember the user's session when they refresh.
3. DO remember the user's previously used username (pre-select it).
4. DO implement an IPFS repo that encrypts the key information using the password derived key.
5. DO modify the login page to resemble that of Windows or Ubuntu, listing the user accounts and icons and verifying the password (with an option to add an account).
6. DO implement an account import / export.

Importing and exporting accounts to / from a file, so they are portable to other devices or portals.

[btimby]

I am still using persistent logins ala. session storage. This will be removed soon enough, but the Login / Logout / Register is pretty smooth at this point.