This change allows users to write Mailer implementations that either
spawn their own goroutines or honor proper context usage. The current
behavior of the modules with this setting turned to 'false' creates a race
condition between the original http request's context authboss was handed being
cancelled by the http server, and the use of that context by the mailer
implementation which is being run in a goroutine.
In Responder.Respond() all context data is merged into the HTMLData before continuing to the HTML rendering. This commit does the same for emails, to make personalized emails possible.
- Add Setup() function for expire to install a hook to set last action
on successful login. If Setup() is not called, expiration starts from
the first request made by the logged in user after the login request
itself.
Users were able to persist one request past expiration because the
session state was not actually hidden for downstream http handlers as it
was in Authboss 1.0 because of the abstraction of ClientState where an
http handler cannot alter the session subsequent handlers.
There's a number of positive reasons for the design as is, but it did
end up creating this bug when this code was ported from v1 to v2.
In order to prevent leaking of session values (and to avoid the mess of
deleting the entire session cookie which could still have values we want
in it) this nuclear method is now called by expire/logout with a
whitelist of keys to keep (passed in from
Config.Storage.SessionWhitelistKeys).
Lock/Confirm and possibly other authentication preemption mechanisms
hook into 'Before(EventAuth)', but the ordering of these rejection
mechanisms mixed with the 2fa acceptance response could result in a
dual response.
