* API is protected by either api (full access), or mfa scopes
* The second factor only interacts via the mfa scope
* Each companion app get's it's own oauth_client, which enforces the
allowed scope via the new allowed_scopes column + the TokenObserver.
* MFA is not checked for MFA device interactions. This is to allow
pairing & using a new device if an existing one was e.g. lost.
* The QR-Code is now printable and includes the generated oauth_client
secret. Together with the relaxation of mfa-checking for the mfa
scope, this allows to create & print recovery qr-codes.
Further changes:
* The companion app is now offered for direct download via configurable
download link.
* The companion app primary key is now a uuid (in binary form), since
it's exposed in the api.