We rely on broadcast signals for authenticator replies rather than unicast
as these are not filtered by the sandbox (due to them being opt-in by the
receiver).
Actually this already worked fine in the flatpak side as the generated
code already subscribes to the signals, this just switches the internal
authenticators (test and oci) to using the new way to emit signals.
This adds the remote uri, and the per-ref commit id, as well
as extensible per-ref and per-request dicts we can add stuff to
as needed.
These will be used for the OCI case.
This allows the authenticator to handle each token type differently.
For example, this allows a "purchase" type to run the donation
webflow, but not require login (and then store the fact that this was
run locally).
This makes it very easy to reuse a single authenticator for several
remotes. This is useful for the a default authenticator implementation
that we can ship with flatpak and use for e.g. flathub.
If request-webflow file exists, then the authenticator will listen
to a local socket and start a webflow request with a uri pointing to it.
If anything connects to the uri it will consider the flow ok and continue.
If the client calls close() instead it will silently succeed anyway
if require-webflow doesn't exists, and fail if is exists.
This is a trivial implementation of org.freedesktop.Flatpak.Authenticator
that just reads the contents of the "required-token" file and returns
that as the tokens for all refs.
