Adds User registration/login flows

There is one hard-coded user `user123` with a terrible password.

New users can register and log in.

2FA code for user registration

A secret is now generated for each user when they register, persisted in
the DB and shared on the "thank you for registering" page.

Users can scan the QR code with their authenticator app, but it's not
(yet) needed for logging in.

Login phase is DONE

Users will now need to use the 2FA code from their app when they log
in.

Prevents users registering with pwned passwords

WebController calls the ;--haveibeenpwned API and rejects registration if the password is found there