+redirect to index in formLogin if logged in
+try to simplify formLogin by not using internal redirects

This is a WIP, have not reviewed yet properly if timing attacks are possible for user enumeration.

Following user enumeration techniques have been fixed:

• If you entered a valid username with a wrong password, you'd get a fail notification - but if you entered an invalid username then you'd get redirected to a 403 "Login is invalid" page which allowed for trivial user enumeration
  • Solution: always display a notification
  • Related: [BUG/Improvement] (No) failed login messages #4095
• Multiple reloads of ?c=javascript&a=nonce&user=<user> displayed a different salt1 value each time for non-existent users, now a value is displayed based on hash of username if the user doesn't exist
  • Still possible to check if a user exists unauthenticated if they happen to change their password (salt1 for existing users is first 29 characters of password hash, which I'm not sure is a great idea - maybe something should be done with that)
  • Tried to simplify the nonce endpoint
  • Overall I think it would be best to get rid of bcrypt.js challenge authentication

One user enumeration technique that is not possible to fix is when the registration form is enabled (can't register existing usernames)