Polish the password recovery flow and other small design tweaks

[sandhose]

Fixes #3032

This can be reviewed commit by commit:

• Render an earlier loading screen fallback shows a spinner earlier
• Fix the cross signing reset cancel and error screens as there were some layout issues
• Typo in the consent screen
• Make the rate limiter available to the GraphQL API handlers so that we can rate limit the email recovery resend
• Polish the password recovery page, which includes:
  • showing an error message if the recovery link is expired, with a button to resend the email
  • showing an error message if the recovery link has already been used
  • including an invisible username field in the form, so that password managers can save the new password
• Better collapsible sections, in sync with the latest Figma designs
• Adjust layout spacings, to make them more in line with the designs

[cloudflare-workers-and-pages]

Deploying matrix-authentication-service-docs with    Cloudflare Pages

Latest commit:	e708212
Status:	✅  Deploy successful!
Preview URL:	https://d9367cff.matrix-authentication-service-docs.pages.dev
Branch Preview URL:	https://quenting-design-review-jan-2.matrix-authentication-service-docs.pages.dev

View logs

[reivilibre]

just one (probably small) thing

[reivilibre]

I don't understand the intended flow for this.

I assumed the recovery ticket is the code that arrives in the e-mail (embedded in a URL, probably) and that lets you recover the account.

So why would you use a recovery ticket to resend the recovery e-mail?

If the ticket is more public than that, I don't think I am happy with the idea that you can use a ticket to request the username of the user...

edit: from the client code I think I gleam that it's for expired tickets. If so, can you state that more clearly in the documentation for the resend operation?

[sandhose]

That's right, I've added a comment in 8a69c9a