prevent unicode-confusion in password by applying PRECIS, and username/email address by applying unicode NFC normalization

an é (e with accent) can also be written as e+\u0301. the first form is NFC,
the second NFD. when logging in, we transform usernames (email addresses) to
NFC. so both forms will be accepted. if a client is using NFD, they can log
in too.

for passwords, we apply the PRECIS "opaquestring", which (despite the name)
transforms the value too: unicode spaces are replaced with ascii spaces. the
string is also normalized to NFC. PRECIS may reject confusing passwords when
you set a password.

webauth/admin.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"golang.org/x/crypto/bcrypt"
+	"golang.org/x/text/secure/precis"
 
 	"github.com/mjl-/mox/mlog"
 	"github.com/mjl-/mox/mox-"
@@ -48,6 +49,11 @@ func (a *adminSessionAuth) login(ctx context.Context, log mlog.Log, username, pa
 		return false, "", fmt.Errorf("reading password file: %v", err)
 	}
 	passwordhash := strings.TrimSpace(string(buf))
+	// Transform with precis, if valid. ../rfc/8265:679
+	pw, err := precis.OpaqueString.String(password)
+	if err == nil {
+		password = pw
+	}
 	if err := bcrypt.CompareHashAndPassword([]byte(passwordhash), []byte(password)); err != nil {
 		return false, "", nil
 	}

webauth/webauth.go

@@ -266,7 +266,7 @@ func Login(ctx context.Context, log mlog.Log, sessionAuth SessionAuth, kind, coo
 		// We don't set a max-age. These makes cookies per-session. Browsers are rarely
 		// restarted nowadays, and they have "continue where you left off", keeping session
 		// cookies. Our sessions are only valid for max 1 day. Convenience can come from
-		// the browser remember the password.
+		// the browser remembering the password.
 	})
 	// Remove cookie used during login.
 	http.SetCookie(w, &http.Cookie{