Used application/json for session POST

[ricellis]

Checklist

• [x] Tick to sign-off your agreement to the Developer Certificate of Origin (DCO) 1.1
• [x] Added tests for code changes or test/build only changes
• [x] Updated the change log file (CHANGES.md|CHANGELOG.md) or test/build only changes
• [x] Completed the PR template below:

Description

Use application/json for _session POST of cookie auth

1. Steps to reproduce and the simplest code sample possible to demonstrate the issue

Pass a url containing percent-encoded user information.

2. What you expected to happen

cookieauth plugin session authentication to work correctly

3. What actually happened

401 unauthorized because the credentials were double encoded.

Approach

• Decoded credentials from URL before passing to CookieTokenManager.
  • Prevents double encoding if passed in a form body
• Modified CookieTokenManager to use json body instead of form encoded anyway
• Improved documentation of characters that must be encoded.

Schema & API Changes

• No change

Security and Privacy

Insignificant changes to handling of credentials

• For cookieauth credentials are now posted in a JSON body instead of as form encoded data, but it is the same request body as previously (i.e. if the server is https then the body containing the creds will be encrypted)
• Preferentially credentials should be passed in the username and password configuration options instead, but in the case where they are passed in the URL user info it is now documented what characters must be encoded.

Testing

• Modified existing cookieauth tests to use a password with special characters.
• Additional manual testing of credentials passed in URL.

Monitoring and Logging

• "No change"

[ricellis]

@bessbd I tried to make the doc even more clear with an example in 245cbb0