Initially, I wanted to use oauth for the web app UI, but it's not possible: to validate an oauth login, you must be authenticated, so there is a loop here ;) See #1108 (closed).
Since in 99% of cases the webapp is on the same domain as the API, it's way easier and more secure to use session/cookie based auth.
This MR does that by:
Adding the necessary logic for cookie based login/logout on the API
Update the front-end to use the new session-based auth
Implement CSRF checks and header passing (because cookie based auth is vulnerable to this kind of attacks)
(unrelated) more consistent URL schemes, everything that is auth/user related is now under
For the remaining 1% cases, where we won't be able to use cookie based auth because the front-end is served on another domain, we can use OAuth (to be implemented): the front-end will be considered as a separate oauth app and use OAuth for everything.