[x] removed the redirect to warn when users are locked out as this didn't work with ajax login form
[x] uses status messages instead to warn on each attempt + say the user is locked out
to make this work it no longer throws an unauthorised exception. Instead it ensures its the first auth plugin and then clears the credentials
TODO: do all plugins use credentials? if not this won't work
[ ] add upgrade step to reorder plugins
[ ] fix the double status messages
[ ] fix readme to describe how it now works
[ ] get ready for a release
Out of scope
[ ] modify restapi login so the statusmessages are sent back in the api? (and then also modify volto get it to use the error message from restapi)
[ ] test if it works with other kinds of PAS plugins
can see it wouldn't prevent login with dm.saml2 because the username isn't in the credentials. but I guess it's not supposed to work with that since the user isn't attempting logins here
Out of scope