get_client_secret_from_state/1 gets the client_id from state, attempts to decode_decrypt it and then look it up in apikeys if it finds the corresponding client_secret it returns the client_secret. All other failure conditions return a 0 (zero) which results in a 401.

github_auth/2 handles the callback from GitHub Auth API redirect.

google_handler/2 handles the callback from Google Auth API redirect.

handler/3 responds to successful auth requests. if the state is defined, redirect to it.

login_register_handler/2 is a hybrid of traditional registration and login. If the person has already registered, we treat it as a login attempt and present them with a password field/form to complete. If the person does not exist (or has not yet verified their email address), we show them a welcome screen informing them that a verification email was sent to their address. When they click it they will see a password (reset) form where they can define a new password for their account.

logout/2 logs the person out of their session and destroys cookie.

make_verify_link/3 creates a verfication link that gets included in the email we send to people to verify their email address. The person.id is encrypted and base58 encoded to avoid anyone verifying a different person's email. (not that anyone would do that, right? ;-) We include the original state (HTTP referer) so that the request can be redirected back to the desired page on successful verification.

password_create/2 is called when a new person is registering with email and is defining a password for the first time. Note: at present we are not enforcing any rules for password strength/length. Thinking of doing these checks as progressive enhancement in Browser. see:

password_prompt/2 handles all requests to verify a password for a person. If the pasword is verified (using Argon2.verify_pass), redirect to their desired page. If the password is invalid reset & re-render the form.

redirect_or_render/3 does what it's name suggests, redirects if the state (HTTP referer) is defined or renders the default :welcome template. If the auth_client_id is undefined or invalid, render the unauthorized/1 401.