user add: Verified self-registration

[synrg]

Provide verified self-registration with the bot (i.e. ,user add) by sending a DM to the bot.

Auth flow will be:

1. Discord user sends a DM to the bot ,user add <login-id-or-profile-url>
2. Bot generates a six-digit code and instructs the user to send it in a Message from their iNaturalist account to user @dronefly.
3. The user has 24 hours to use the code to verify their identity.
4. Periodically, the bot will poll the Inbox of the @dronefly iNaturalist account with an authenticated request.
5. Once the code is detected, the bot will complete the registration, and the user will now be known to the bot in any DM'd commands.

• This will require storing that account's password in the dronefly global config.
• For an added measure of security, that password will be encrypted with a password that the bot owner must enter to unlock it (upload load of inatcog, the owner will be DM'd by the bot to enter it).
• The iNaturalist account to use for receiving verification messages must not be hardwired. The bot owner needs to configure this.
• In the final confirmation notice, Dronefly will send the user a tip about optionally doing ,user set known true to allow the bot to know them on any Discord server where both they and Dronefly are members.

Background discussion for this feature: https://forum.inaturalist.org/t/how-to-implement-verified-identity-handshake-without-a-webapp/19613

[synrg]

I'm not entirely happy with this plan. I'd rather see a standard OAuth webapp flow here. But that would involve writing (and hosting somewhere on the web) a whole webapp for Dronefly. I think there are other benefits to pairing the bot with a webapp that might push me in that direction, though, in future, so that possibility makes me disinclined to put this on the critical path for a first public release.

Face it: on the Internet anyone can claim to be anyone. Usually in the communities where that matters people catch on quickly and members are informed. That doesn't require technological measures to spot and correct. If we had a huge user base where it's much harder to keep tabs on users that might be pretending to be someone they aren't, it might be more important to have verified identities, but at present, the Dronefly user base is so small I don't think this one is worth doing. Therefore I am closing it now and taking it off the critical path for a first public release.

[synrg]

If I'm going to go ahead with #161 and use the bot to update projects, I might as well keep this one on the books and tackle it after that one, since it is more of the same. Also, as appealing as a possible webapp companion might be, it raises the bar for other people running their own bot instances, i.e. they might be fine with running a bot, but not fine with running a webapp too. Therefore, making the bot partially dependent on one might not be a great plan. (Not to mention, where am I going to suddenly find time to do this? Gotta be realistic.)