Remove django-extensions and runserver_plus

[justinmayer]

@Natim mentioned that the demo project appears to work on localhost over HTTP via standard runserver, while we previously assumed HTTPS and thus runserver_plus were required.

At first I was a bit worried about this… Since my understanding is that HTTPS is required for WebAuthn, I thought perhaps that could mean something is awry. I did some more reading, and it seems HTTPS is required for the older U2F standard, while WebAuthn relaxes this restriction for localhost origins and only requires a "secure context", which means HTTP for localhost and HTTPS for all other origins:

Please note that WebAuthn API will not work on pages loaded over HTTP, unless it is localhost, which is considered secure context. (source]

A welcome improvement to the standard, in my opinion. 👏

So perhaps we can remove django-extensions, change runserver_plus references to runserver, and add documentation explaining that users will need HTTPS for non-localhost origins.

[justinmayer]

As a follow-up to this topic:

• WebAuthn spec requires a "secure context", as defined by W3C
• Specifically, that means a secure origin. That could mean HTTPS, but there are other options.
• There appears to be a carve-out for localhost.
• It seems PyWebAuthn honors this carve-out and allows localhost-over-HTTP.
• Whether localhost and/or 127.0.0.1 are secure origins seems to still be under debate.

In short, there is a possibility that someday we may have to revert this and go back to HTTPS for localhost, but hopefully that will not come to pass. 🤞