LinOTP 3.4 and SelfService 1.3.1

Changelog LinOTP 3.4

Breaking Changes:

• For the container, the `client=` HTTP POST parameter is deprecated and disabled by default. It will be removed in an upcoming version of LinOTP. It can be re-enabled if the `GET_CLIENT_ADDRESS_FROM_POST_DATA` config is set to a true value (the default is "false", for security reasons). Only if re-enabled, the "Authorization:" config on the "System config" dialog in the web-based management UI is available again and `client=` parameters are looked at.
• default of `BACKUP_DIR` is now /var/backups/linotp for the Debian package
• the CLI `linotp backup create` uses `BACKUP_DIR` to save backups instead of the current working directory
• breaking changes to the `linotp audit cleanup` CLI:
  • option `--no-export` is removed
  • option `--export` is added to trigger the export
  • export is disabled by default. Use `linotp audit cleanup --export` to trigger it. This restores LinOTP 2.x behavior
  • options `--min` and `--max` are removed. They are replaced by `--max-entries-to-keep` and `--cleanup-threshold`:
    • `--max-entries-to-keep` (default: 5000) specifies the number of entries to be retained in the audit database.
    • `--cleanup-threshold`: (optional) cleanup is only initiated if the number of entries exceeds this threshold. Must be greater than --max-entries-to-keep. No threshold is active by default, i.e. technically speaking, this parameter is equal to `--max-entries-to-keep` by default.

Features:

• TRUSTED_PROXIES config variable is added to configure LinOTPs proxy trust. This config will override (i.e. disable) the trusted forwarding proxy configuration in the manage ui -> system configuration.
• add option `--delete-after-days` to `linotp audit cleanup`: Delete entries older than the given number of days (starting from the beginning of the day). Can't be used alongside `--max-entries-to-keep` or `--cleanup-threshold`!
• improved debug log output for TOTP resync routine
• improved (mostly by reducing) debug log output during server start and request context.
• reporting api change: If the `realms` parameter is omitted, the realm `/:no realm:/` is now also evaluated.

Fixes:

• when rolling out a forwarding token via /manage, the serial of the target token is included in the description
• faulty JWTs don't cause a `500 Internal Server Error` anymore and the error gets logged properly
• login and logout endpoint for admin authentication was mixed into all /api/v2 controllers which made it possible to use e.g. /api/v2/realms/login. Please use only /admin/{login/logout}
• faulty policies (e.g. `totp_hashlib=sha256`) now return and log a meaningful error message
• audit log entries for `/admin/login` and `admin/logout` now state `success`, `user`, `realm` and `administrator` correctly
• audit log entries for userservice API requests state the correct `success` value
• the last provider (of any kind) can now be deleted
• non-default providers can be now be deleted as expected if and only if they are not part of an authentication policy
• audit log entries for `/userservice/logout` now state `user` and `realm` correctly
• Restored the `period` return attribute in the /reporting/period API endpoint to resolve missing data issue.

Changelog LinOTP SelfService 1.3.1

Breaking Changes:

• verify warning is removed when a token is enrolled with successful verification
• users can login with, test and verify forwarding tokens targeting any common token