Improve passord handling

[niccofyren]

This PR introduces a "couple" of tweaks to how passwords and login are handled:

• Adds some new password helper methods to User model using php's password_... methods
• Updates controllers to use these new methods (in order to avoid trying to keep different implementations in sync)
• Adds automatic re-hashing of existing passwords on login (md5 -> blowfish (current) -> whatever is next)
• Removes a couple of webroot/api/*login.php files using outdated implementations (is this what we call the "legacy auth api"?
• "Upgrades" Api/Auth to only accept POST (with JSON) requests (to avoid passing plain text credentials as get parameters)
• Makes profile password page and reset password page use similar validation logic
• Moves hard coded cookie encryption key to ENV (used to encrypt cookie containing credentials) and indirectly makes feature optional

Checklist for getting in prod:

• [ ] Add AUTH_COOKIE_KEY value to prod env
• [ ] Update services actively using Api/Auth: GET => POST, Url parameters => JSON object, md5(password) => password
  • [ ] Gathering.org WP-plugin
  • [ ] ???

Relates to: https://github.com/gathering/wannabe/issues/9 Relates to: https://github.com/gathering/wannabe/issues/8 (Maybe 🤷‍♂)

[Brekkjern]

You are correct that the /api/login.php endpoint is the legacy API and should be nuked from orbit.

[Brekkjern]

I had a look through the code and it looks fine, but I had no opportunity to test it out. Anyone else able to give this a shot?

[KristianLyng]

It looks good to me. And for the record, the old /api/login.php is not in use - it's blocked by apache as well, so no harm in nuking it.

Merging.