* jwt permissions
* add old password to body req
* add model and migration
need to track the datetime that passwords were changed for the jwt
* auth api backend changes
- use os.open to create jwt secret with restrictive permissions (0o600: read/write for owner only)
- add backend validation for password strength
- add iat claim to jwt so the server can determine when a token was issued and reject any jwts issued before a user's password_changed_at timestamp, ensuring old tokens are invalidated after a password change
- set logout route to public to avoid 401 when logging out
- issue new jwt for users who change their own password so they stay logged in
* improve set password dialog
- add field to verify old password
- add password strength requirements
* frontend tweaks for password dialog
* i18n
* use verify endpoint for existing password verification
avoid /login side effects (creating a new session)
* public logout
* only check if password has changed on jwt refresh
* fix tests
Fix migration 030 by using raw sql to select usernames (avoid ORM selecting nonexistent columns)
* add multi device warning to password dialog
* remove password verification endpoint
Just send old_password + new password in one request, let the backend handle verification in a single operation
