Replace Basic Authentication with JWT Tokens, Added Login Page

[TheElixZammuto]

Description

This PR replaces the current Login Page (which is based of the Basic Authentication) with a custom Login Page that implements Cookies + JWT to handle the session system.

This allows us to customize the UX of the login page, and it's more compatible with password managers.

The JWT Key is generated on the fly by Sunshine on each boot and is kept in memory, this allows us to not fiddle with revocation lists and storing safely the encryption key. The only side effect is that the credentials will be invalidated on a Sunshine Reboot, but the Web UI is already capable to handle this edge case and show a login modal when the credentials expire without reloading the entiere page.

This breaks the current API Authentication, but nobody uses the Web UI API as far as we know. If so, let us know!

Screenshot

Issues Fixed or Closed

https://ideas.moonlight-stream.org/posts/329/sunshine-use-login-page-rather-than-login-prompt

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Dependency update (updates to dependencies)
• Documentation update (changes to documentation)
• Repository update (changes to repository files, e.g. .github/...)

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added or updated the in code docstring/documentation-blocks for new or existing methods/components

Branch Updates

LizardByte requires that branches be up-to-date before merging. This means that after any PR is merged, this branch
must be updated before it can be merged. You must also
Allow edits from maintainers.

• I want maintainers to keep my branch updated

[TheElixZammuto]

Hey, just curious, do we have to replace the basic authentication? I'd rather have it added as an additional authentication method. The goal is to reduce risk, but I don't think its necessary to totally kill off basic auth as its still a secure method, just not really recommended for browser usage due to it exposing password every request.

Simply to simplify the authentication methods and not supporting both of them. This could be useful in situations where we would like to add different/new types of authentication systems without having to deal with this. btw I'll let @ReenigneArcher and @cgutman decide on that, I don't have a very strong opinion on that

[ReenigneArcher]

I agree with Elix. Less code to maintain would be my preference.

[ReenigneArcher]

@Nonary are you using the API for anything? I thought you were parsing the logs files for your projects.

We did a search on GitHub and didn't really find anyone doing anything with our API.

[codecov]

Codecov Report

Attention: Patch coverage is 1.80180% with 109 lines in your changes missing coverage. Please review.

Project coverage is 6.16%. Comparing base (7fb8c76) to head (3888ec8).
Report is 326 commits behind head on master.

Files with missing lines	Patch %	Lines
src/confighttp.cpp	1.80%	83 Missing and 26 partials ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##           master   #2252      +/-   ##
=========================================
- Coverage    6.17%   6.16%   -0.02%     
=========================================
  Files          86      86              
  Lines       17546   17644      +98     
  Branches     8190    8263      +73     
=========================================
+ Hits         1083    1087       +4     
+ Misses      15410   14725     -685     
- Partials     1053    1832     +779     

Flag	Coverage Δ
Linux	4.23% <0.00%> (-0.04%)	⬇️
Windows	2.03% <0.00%> (-0.02%)	⬇️
macOS-12	8.67% <2.15%> (+0.08%)	⬆️
macOS-13	7.79% <1.07%> (-0.05%)	⬇️
macOS-14	8.12% <1.07%> (-0.05%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
src/confighttp.cpp	1.28% <1.80%> (+0.52%)	⬆️

... and 25 files with indirect coverage changes

[Hazer]

Given that we are already refactoring stuff here, can we move out all authentication logic/implementation to another file like http_authenticator or something, and only call it here?

Would also make it easier to unit test, fix, replace or even support multiple auth styles in the future.

[LizardByte-bot]

It looks like this PR has been idle for 90 days. If it's still something you're working on or would like to pursue, please leave a comment or update your branch. Otherwise, we'll be closing this PR in 10 days to reduce our backlog. Thanks!

[ReenigneArcher]

PR replaced by #2995.

[Nonary]

I'm overtaking this with #3999

Submitting comment so that those who were previously following this PR are notified that this feature might be added to sunshine coming soon.