Replace HMAC-based session API keys with tokens stored in memory in the daemon process

Since the session cache clears keys after a period of time, this fixes #1821.

Based on https://github.com/mail-in-a-box/mailinabox/pull/2012, and so:

Co-Authored-By: NewbieOrange <NewbieOrange@users.noreply.github.com>

Also fixes #2029 by not revealing through the login failure error message whether a user exists or not.

management/templates/index.html

@@ -367,11 +367,17 @@ var current_panel = null;
 var switch_back_to_panel = null;
 
 function do_logout() {
+  // Clear the session from the backend.
+  api("/logout", "POST");
+
+  // Forget the token.
   api_credentials = ["", ""];
   if (typeof localStorage != 'undefined')
     localStorage.removeItem("miab-cp-credentials");
   if (typeof sessionStorage != 'undefined')
     sessionStorage.removeItem("miab-cp-credentials");
+
+  // Return to the start.
   show_panel('login');
 }
 

management/templates/login.html

@@ -105,8 +105,8 @@ function do_login() {
   api_credentials = [$('#loginEmail').val(), $('#loginPassword').val()]
 
   api(
-  "/me",
-  "GET",
+  "/login",
+  "POST",
   {},
   function(response) {
     // This API call always succeeds. It returns a JSON object indicating