Remove PAUSE login dependency on @cpan.org email addresses

[haarg]

The @cpan.org mail redirector is very unreliable, and unlikely to be improved. We should move away from using it.

Currently, logging in to a PAUSE account sends an email to their @cpan.org address with a confirmation link. We should find an alternative method.

The best option would be to use OAuth 2. This would require implementing it on PAUSE. PAUSE is now using Mojolicious for its web interface. It should be possible to implement this using Mojolicious::Plugin::OAuth2::Server. See also andk/pause#258

For reference, some other services have implemented PAUSE linking by directly accepting PAUSE login details, then internally testing a login using them. AFAIK this is the method rt.cpan.org uses. This is pretty terrible security though. You are asking people to provide login details to a third party. It substantially increases the sensitivity of the data you need to access. And it wouldn't work well with any changes or improvements PAUSE makes to its login flow.

[tessarin]

I was wondering if you have considered allowing users to upload a file with a generated key to their directory.

Here's an example:

1. The user submits the form to request the PAUSE connection, just as it works now.
2. A key is already generated (the one sent to the email), but a second one could be created ($file_key).
3. The same screen which now says only "check your email" could say "check your email or upload a file named 'metacpan-verify' containing $file_key to your PAUSE directory. When ready, visit metacpan.org/pause-verify"
4. If the user chooses the file upload option and visits the given page, MetaCPAN could then access cpan/user/metacpan-verify to check if the key matches.

[Grinnz]

That's not generally a bad idea, the only issue is PAUSE is write-once so you could only upload a file with a specific name one time.

[haarg]

There are a number of file extensions that are allowed to be overwritten, including txt and json.