- Do not update last_nag with jitter when using a backup device.
- Do update it with jitter if it was None (so we set up to nag the
user randomly in the future, but not right now)
- But do not update it if the user has no backup devices (so we don't
set up a nag that will fire the moment they add a backup device)
Add randomness to initial 2FA backup nag/check times.
To avoid an initial "horde" of people getting nagged on the exact same
day once we flip the feature flag on, this adds a random jitter from 0
to 50% of the nag interval to distribute the nags over a longer period.
This is done only on the *initial* nag set (i.e. when the value is found
to be None, meaning we had never set it for this user) and for both
last_nag (which is per account) and last_check (which is per device).
Update saml2idp to 0.21 for proper, tested, working sha2 digest/signature support in SAML.
Also update the tests so we're sure the correct identifiers are used at the SSO level; correct signing itself is tested thoroughly in the saml2idp project proper.
Had a bit more repercussions than I expected (required adding bs4 and updating m2crypto which required a custom wheel instead of system package) but it works well in local tests....
Set explicit "SameSite=None; Secure" on session and csrf cookies
Fixes openid auth in modern browsers which default to "SameSite=Lax"
(Chrome 84 implements a slightly more permissive logic as a temporary mitigation; Firefox has it available to test as of version 69 and will make it default in the future)
