Initially, I wanted to use oauth for the web app UI, but it's not possible: to validate an oauth login, you must be authenticated, so there is a loop here ;) See #1108 (closed).
Since in 99% of cases the webapp is on the same domain as the API, it's way easier and more secure to use session/cookie based auth.
This MR does that by:
/api/v1/users
For the remaining 1% cases, where we won't be able to use cookie based auth because the front-end is served on another domain, we can use OAuth (to be implemented): the front-end will be considered as a separate oauth app and use OAuth for everything.