feat: finish reauth docs, enhance code.

Decided to keep name Reauth for now.

admin_guide.txt:
  add reference mark to roundup admin help. Used for template command
  reference in upgrading.txt.

customizing.txt:
  added worked example of adding a reauth auditor for address and password.
  Also links to OWASP recommendations.

  Added link to example code in design.doc on detectors.

glossary.txt:
  reference using roundup-admin template command in def for tracker
  templates.

pydoc.txt:
  Added methods for Client class.

  Added class and methods for (cgi) Action, LoginAction and ReauthAction.

reference.txt
  Edited and restructured detector section.

  Added section on registering a detector and priority use/execution order.
     (reference to design doc was used before).

  Added/enhanced description of exception an auditor can
     raise (includes Reauth).

  Added section on Reauth implementation and use (Confirming the User).
    Also has paragraph on future ideas.

upgrading.txt
  Stripped down the original section. Moved a lot to reference.txt.

  Referenced customizing example, mention installation of
  _generic.reauth.html and reference reference.txt.

cgi/actions.py:
  fixed bad ReST that was breaking pydoc.txt processing

  changed doc on limitations of Reauth code.

  added docstring for Reauth::verifyPassword

cgi/client.py:
  fix ReST for a method breaking pydoc.py processing

cgi/templating.py:
  fix docstring on embed_form_fields

templates/*/html/_generic.reauth.html
  disable spelling for password field

  add timing info to the javascript function that processes file data.

  reformat javascript IIFE

templates/jinja2/html/_generic.reauth.html
  create a valid jinja2 template. Looks like my original jinja
    template got overwritten and committed.

  feature parity with the other reauth templates.

test/test_liveserver.py
  add test case for Reauth workflow.

Makefile
  add doc.

Author: rouilj

doc/admin_guide.txt

@@ -1729,6 +1729,8 @@ IMAPS_OAUTH:
    single: roundup-admin; man page reference
    pair: roundup-admin; designator
 
+.. _`roundup-admin templates`:
+
 Using roundup-admin
 ===================
 

doc/customizing.txt

@@ -1815,6 +1815,60 @@ Some simple javascript might help in the last step. If you have high volume
 you could search for all currently-Pending users and do a bulk edit of all
 their roles at once (again probably with some simple javascript help).
 
+.. _sensitive_changes:
+
+Confirming Users Making Sensitive Account Changes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Some changes to account data: user passwords or email addresses are
+particularly sensitive. The `OWASP Authentication`_ recommendations
+include asking for a re-authentication or confirmation step when making
+these changes. This can be easily implemented using an auditor.
+
+Create a file in your detectors directory with the following
+contents::
+
+    from roundup.cgi.exceptions import Reauth
+
+    def confirmid(db, cl, nodeid, newvalues):
+
+        if hasattr(db, 'reauth_done'):
+           # the user has confirmed their identity
+           return
+
+        # if the password or email are changing, require id confirmation
+        if 'password' in newvalues:
+            raise Reauth('Add an optional message to the user')
+
+        if 'address' in newvalues:
+            raise Reauth('Add an optional message to the user')
+
+    def init(db):
+        db.user.audit('set', confirmid, priority=110)
+
+If a change is made to any user's password or address fields, the user
+making the change will be shown a page where they have to enter an
+identity verifier (by default the invoking user's account password).
+If the verifier is successfully verified it will set the
+``reauth_done`` attribute on the db object and reprocess the change.
+
+The default auditor priority is 100. This auditor is set to run
+**after** most other auditors. This allows the user to correct any
+failing information on the form before being asked to confirm their
+identity. Once they confirm their identity the change is expected to
+be committed without issue. See :ref:`Confirming the User` for
+details on customizing the verification operation.
+
+Also you could use an existing auditor and add::
+
+      if 'someproperty' in newvalues and not hasattr(db, 'reauth_done'):
+        raise Reauth('Need verification before changing someproperty')
+
+at the end of the auditor (after all checks are done) to force user
+verification. Just make sure you import Reauth at the top of the file.
+
+.. _`OWASP Authentication`:
+   https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#require-re-authentication-for-sensitive-features
 
 Changes to the Web User Interface
 ---------------------------------
@@ -2436,6 +2490,10 @@ The `reference document`_ also has examples:
   <reference.html#extending-the-configuration-file>`_.
 * `Adding a new Permission <reference.html#adding-a-new-permission>`_
 
+as does the design document:
+
+* `detector examples <design.html#detector-example>`_
+
 Examples on the Wiki
 ====================
 

doc/glossary.txt

@@ -99,7 +99,9 @@ Roundup Glossary
 	 tracker with a particular look and feel, :term:`schema`,
 	 permissions model, and :term:`detectors`. Roundup ships with
 	 five templates and people on the net `have produced other
-	 templates`_
+	 templates`_. You can find the installed location of the
+	 standard Roundup templates using the :ref:`roundup-admin
+	 templates <roundup-admin templates>` command.
 
 
    tracker

doc/pydoc.txt

@@ -9,7 +9,32 @@ Client class
 ============
 
 .. autoclass:: roundup.cgi.client::Client
+   :members:
+   
+CGI Action class
+================
+
+Action class and selected derived classes.
+
+Action
+------
+.. autoclass:: roundup.cgi.actions::Action
+   :members:
+
+LoginAction
+------------
 
+.. autoclass:: roundup.cgi.actions::LoginAction
+   :members:
+
+.. _`ReauthAction_pydoc`:
+
+ReauthAction
+------------
+
+.. autoclass:: roundup.cgi.actions::ReauthAction
+   :members:
+   
 Templating Utils class
 ======================