New e-portal OIDC-based login and various bugfixes

Today's update (29bf398) brings with it the following changes:

Security issues

• Secure application better against XML-based attack vectors.
• Explicitly use Samesite=Lax cookie policy on insecure cookies.

New features

• Added login and authorization feature against e-portal, based on OpenID Connect workflow. Disabled until e-portal is fully configured.
• Added Log in using e-portal-button to standard right hand side menu. Disabled until e-portal is fully configured.
• Added eportal template function, giving access to issuer, API and logout URLs, making it possible to use these variables in templates.
• User details, institution memberships, groups, roles, course access and student/supervisor relationships are automatically provisioned when logging in using e-portal.
• User identity token (claims collection) from e-portal is verified by signature using JWT semantics. Reduces attack surface. Verification only allows RSA, ECC and Ed algorithms. Decoded identity claims are available in a session variable for use by templates.
• During login using e-portal, the user is redirected to a common Portfolio site before being redirected back to the original site. This is normal and part of the e-portal login process.
• Users without any email registered in e-portal will get an auto-generated email address associated with their Portfolio account.
• If no username has been defined in e-portal, existing users will keep their existing Portfolio username when they login using e-portal.
• If an institution with no owner is imported using e-portal, the owner is set to the orphan user.
• Information from e-portal is cached for a short while to decrease load on e-portal API during login.
• When logging out a session authenticated using e-portal, e-portal session is also logged out.

Enhancements

• Set HTTP user-agent so that when Portfolio is operating as an HTTP client, it can be more easily identified in remote systems.
• Use contact manager UI for adding user in event log report.

Bugfixes

• Logout and redirect to front page when deleting your own account, to avoid a weird login issue.
• Changed the logout request handler to be available to anonymous, so that when you explicitly try to logout when your session is already expired, it doesn't show a login prompt followed by an immediate logout.
• Fixed issue with negative time intervals in time usage reports causing skewed reports.
• Fixed grammar inconsistency with regards to the phrase "login/logout" being used as a verb, when it should be phrased as "log in/log out".
• Ensure consistent phrasing of the word e-portal.