Fix security issues from audit

[Floppy]

Fix issues that came out of #1678. Full report is at https://git.radicallyopensecurity.com/nlnet/ngie-manyfold/-/jobs/127613/artifacts/file/target/report_ngie-manyfold.pdf

High

• MAF-010: [HIGH] File upload insecurities #2234

Elevated

• MAF-009: [ELEVATED] Sessions are not revoked and do not expire #2235
• MAF-007: [ELEVATED] DoS via large file uploading #2236

Moderate

• MAF-017: [MODERATE] Viewer can see conversion problems, and can convert to 3MF #2237
• MAF-008: [MODERATE] No password bruteforce protection on login #2238
• MAF-005: [MODERATE] Missing / incorrect security headers #2239
• MAF-003: [MODERATE] Docker container runs as root #2240
• MAF-002: [MODERATE] User enumeration through various devise forms #2241

Low

• MAF-011: [LOW] Library path can be set arbitrarily, including root #2242
• MAF-006: [LOW] Scripts are loaded from external third party #2243
• MAF-004: [LOW] Various docker security misconfigurations #2244

NLNet milestone 4.5

[Floppy]

A lovely followup note from our pentester, who can't post it as themselves:

I am the pentester who conducted the security assessment for this project, I'm impressed by the comprehensive list of resolved issues presented here. It's encouraging to see that nearly all identified vulnerabilities appear to have been addressed. While I haven't verified these fixes through retesting, the extensive changes documented and the detailed nature of this update are highly promising.
I commend @Floppy 's efforts in prioritizing security and implementing these improvements.
Great work on enhancing the project's security posture!

[Floppy]

#2242 will be closed as part of the library storage rewrite that is happening imminently as part of #1670