clean up tokens on deauthorize

[AlexTugarev]

clean up tokens on deauthorize

fixes #3800

how to test

1. authorize with two providers
2. disconnect one
3. verify (in the db 🤷🏻‍♂️) that tokens are (marked as) deleted

temporarily disable terms acceptance check in API

[jankeromnes]

Thanks Alex!

access_denied on OAuth

fixes #3801

how to test

1. revoke permissions for the OAuth App of Gitpod preview environments
2. try to login and decline
3. verify to see an error instead of a hanging redirect (and timeout)

This is where I end up at (correct-looking /sorry URL, but since I'm not logged in, it shows the login screen instead):

EDIT: Actually, why even attempt to redirect to /sorry? You could simply redirect to /login in that case (I wouldn't be surprised to see the login screen again if I decline the OAuth prompt).

[AlexTugarev]

@jankeromnes, thanks for testing!

First of, it tries to redirect is an error page (and not to login) and that's what's expected.

An error page that is only rendered if logged in is problematic at least. :-(

In this particular case though the flow and the resulting redirect is happening in a separate browser tab, so the target for redirect should not be the sorry page. Indeed it should redirect to /login-error (symmetrical to /login-success) and propagate to the still open login page, which will close the extra tab and, that's the plan, render a message.

One step at a time.

[AlexTugarev]

@jankeromnes, I extracted #3915 from here. I turns out there is a tail to that problem.

[AlexTugarev]

/werft run

👍 started the job as gitpod-build-at-bugfixes.3

[AlexTugarev]

@csweichel, could you have a look at the changes left in this PR, please?

[csweichel]

Change LGTM