Admin Two Factor Authentication Support

[iprice]

Currently only for staging testing.

Provides a web endpoint that validates TG SS13 verify-admin requests, uses Authentik to perform the secondary authentication check and this code merely rubberstamps the request if it gets this far.

Points of note:

• This is NOT a service that grants admin powers ; it can only deny existing powers, bypassing this service only gives you the SS13 perms you already had granted to you.
• The perl script component runs under the caddy user. This might be undesirable, but with a simplistic handler like this it's probably fine too.
• The authentik username must match the ckey of the request being validated.
• The end user IP IS checked (see below) but not enforced ; our original admin2fa solution had a special flag for allowing browser IP and game client IP to differ (I presume because some admins have a web proxy enforced on them).
• The header for getting the end user IP is probably wrong and needs to be corrected.
• Some configuration needs to be put into Authentik to support this installation (see below).
• The DB credentials are stored in a dumb multiline file that consists of dbhost/dbuser/dbpass/dbname/tablename, the tablename is admin_connections in the default SS13/tg schema. The credentials require SELECT and UPDATE on this table only.

Authentik should have a provider set up using explicit-consent (authorize application) flow, with external host of https://2fa.tgstation13.org (and another for https://2fa-staging.tgstation13.org) in "Forward auth (single application)" mode. Intercept header authentication should be on (probably the default). Token validity can be minimal (minutes=5)
Authentik should have an application set up, with a slug (admin-2fa), using this provider.