Refactor and consolidate user session logic

[zoldar]

Changes

This PR refactors and creates a groundwork for implementing persisted user sessions.

Review can be done commit-by-commit for convenience.

• User session management and retrieval is completely abstracted behind PlausibleWeb.UserAuth. The module takes care of managing cookies (currently the defaults session when and "logged_in" cookie shared with static site). There are also extension points introduced already for supporting persisted sessions and transition from the current (legacy) cookies to the new, token based ones which will be persisted using Plausible.Auth.UserSession (currently an embedded schema - just enough to support existing cookie auth).
• Cookies are now always renewed/reset, reducing the potential risk of session fixation attacks.
• There's a new assign introduced, called live_socket_id. Once the token based authentication is implemented, it will allow disconnecting LV clients on either explicit logout or after revoking the relevant token(s). More details in the docs. NOTE: As Phoenix PubSub is not fully setup, we might still not be able to fully benefit from that mechanism.
• The current_user_id value is no longer explicitly passed via live_render's session option. All existing session keys are passed through implicitly, to this was redundant.
• PlausibleWeb.Live.AuthContext is now automatically populating current_user (and current_user_session) in LV context on mount - provided it's not provided by the AuthPlug already which is sooner in the overall pipeline.
• Both Live.AuthContext and AuthPlug ensure the shape of the loaded user is the same, always with an active subscription preloaded if there is one.
• Any direct references to current_user_id session value got removed from LV in favor of retrieving current_user implicitly set by the auth plug or context.
• The current_user from the context is used more consistently in a number of spots (mostly around billing where user was refetched and set under a different key, like user).

Tests

• Automated tests have been added

Changelog

• This PR does not make a user-facing change

Documentation

• This change does not need a documentation update

Dark mode

• This PR does not change the UI

[github-actions]

Preview environment👷🏼‍♀️🏗️
PR-4452

[zoldar]

Moved site assignment under assign_new here. I think it's fine to reuse existing assign if present but maybe I'm missing something?

[zoldar]

It was a literal instead of interpolated string - fixed it btw (the same goes for other instances in shields LVs).

[zoldar]

This assign was completely unused in the modal component.

[aerosol]

Nice and clean ✨

[aerosol]

Just to make sure - renewing is just as good as dropping the cookie now?

[zoldar]

Renewing and clearing session is basically identical as dropping it in case of using COOKIE session store. It makes more of a difference in case of other stores (ETS, there's also Redis driver) where session data is stored server-side and session ID is stored in the cookie. Renewing then is indeed necessary to avoid malicious reuse of the same session ID (so-called session fixation attacks). Defaulting to renewal + clear is fine and additionally future-proof in case we ever want to switch the session store to avoid risk of potentially forgetting to update the reset strategy. For reference here's a short discussion clearing that up a bit: phoenixframework/phoenix#5466

[aerosol]

nice 👏