1. web/controller/index.go
Stop logging the submitted plaintext password on failed login.
Replace it with "***" in the Telegram notification too.
2. web/controller/server.go + web/html/index.html
Convert /panel/api/server/getDb from GET to POST and require an
X-Requested-With header. Prevents <img>/<a>/<form> CSRF that would
otherwise let an attacker steal the SQLite DB by tricking a logged-in
admin into loading a single URL.
3. web/web.go
Set Secure=true on the session cookie when TLS cert/key are configured,
and tighten SameSite from Lax to Strict for the panel session.
* chore: implement 2fa auth
from #2786
* chore: format code
* chore: replace two factor token input with qr-code
* chore: requesting confirmation of setting/removing two-factor authentication
otpauth library was taken from cdnjs
* chore: revert changes in `ClipboardManager`
don't need it.
* chore: removing twoFactor prop in settings page
* chore: remove `twoFactorQr` object in `mounted` function
* [refactor] api controller
* [fix] access log path
better to not hardcode the access log path, maybe some ppl dont want to use the default ./access.log
* [fix] set select options from logs paths in xray settings
* [update] .gitignore
* [lint] all .go files
* [update] use status code for jsonMsg and 401 to unauthorize
* [update] handle response status code via axios
* [fix] set correct value if log paths is set to 'none'
we also use the default value for the paths if its set to none
* [fix] iplimit - only warning access log if f2b is installed
