- API is protected by either api (full access), or mfa scopes
- The second factor only interacts via the mfa scope
- Each companion app get's it's own oauth_client, which enforces the allowed scope via the new allowed_scopes column + the TokenObserver.
- MFA is not checked for MFA device interactions. This is to allow pairing & using a new device if an existing one was e.g. lost.
- The QR-Code is now printable and includes the generated oauth_client secret. Together with the relaxation of mfa-checking for the mfa scope, this allows to create & print recovery qr-codes.
- The companion app is now offered for direct download via configurable download link.
- The companion app primary key is now a uuid (in binary form), since it's exposed in the api.
- The companion app table is truncated on migration because nothing is currently relying on it and no important data is lost.
Builds on D3698