MST-706. ID Verification is now valid for 2 years, so messaging used to notify learners about their ID expiration should be updated to reflect this. We have chosen to only update the messaging that is related to the current IDV flow (going through IDV on the account MFE), as the old IDV flow is no longer used by learners on edX.

chore: remove `cert_allowlist_generation` management command

refactor: update contact us form

feat!: Replace logging WaffleSwitch with a django settinge.

fix: Reduce safe-sessions false alarms.

This reverts commit c2eabf6c.

We are changing this from a waffle setting to a django setting so we can
undo this query count bump.

This was initially introduced as a temporary flag to be able to get more
information.  But if we get this kind of issue again, we'll need
something like this logging to determine the source of the session
collision.  Rather than removing the code and adding it back in later,
convert this temporary switch into an opt-in setting that can be used
again in the future.

BREAKING_CHANGE: 'safe_session.log_request_user_changes' switch no
longer exists and is replaced with the 'LOG_REQUEST_USER_CHANGES' django
setting which defaults to 'False'

Test to verify the side-effects of calling this function since we now
rely on one of them in the SafeSessionMiddleware.

Add a test to ensure that the login page redirect as long as we have a
valid session even if we have expired on non-existent JWT cookies.

Previously they also had to have a valid JWT cookie which led to a weird
corner case where a user was logged in but still showed the login form
resulting in some confusion and odd behavior.

This change gives precedence to the session token to determine whether
or not someone is logged into the LMS but ensures that if you go through
the login flow, you refresh your JWT cookies. This should not cause any
breakage for MFE flows that might redirect to the LMS login page since
the JWT would get refreshed if it's out of date but the session is
valid.

Six frames was not enough because for DRF views the request gets wrapped
in a proxy object and so we need more of the stack to see what part of
the code we're in that actually invokes the use change.

Video SJSON transcripts are supposed to be UTF-8 encoded, but SJSON
is an ad hoc thing we made up to make it easier to build the
transcripts viewer in the VideoBlock, and it's not well specified.
Prior to this commit, if you had an SJSON file with Latin-1 encoded
text outside the standard ASCII range (e.g. û), then we'd error out
while trying to export it.

This was blocking an effort to export some Old Mongo courses (TNL-8007).

fix: fix typo that prevented video completion working as intended

Co-authored-by: asadiqbal08 <asad.iqbal@arbisoft.com>

Neither of these settings were being correctly set:
* COMPLETION_BY_VIEWING_DELAY_MS
* COMPLETION_VIDEO_COMPLETE_PERCENTAGE

AA-743

[MST-718] Validate the media type of uploaded IDV images

* fix: add missing protocol to web link for assets

* test: fix asset path test

* refactor: update asset web URL to use urljoin

BOM-2408: Removed unused imports from openedx/core/djangoapps/{api_ad…

BOM-2352: Removed unused imports from lms/envs

Exposed the Date header on the outline api so clients can accurately compute times relative to the dates returned by the API; this was previously done with the course API (#26979)

Browser time is notoriously unreliable for this, especially for a Learner-facing countdown call-to-action based on the access expiration date. (REV-2126)

Using the Date header for this allows the client to make use of information that is already sent, does not require additional calls nor modifying the API, and could be generalized to more or all our APIs without modifying them.

* Display import errors to user

* Refactored

* Refactored

* Refactored

* Fixed quality

* Fixed quality

* Refactored code

* Fixed message

* Refactored code

Removed unused imports from lms/envs

Removed unused imports from openedx/core/djangoapps/{api_admin, catalog, ccxcon, certificates}

BOM-2352: Removed unused-imports from lms/djangoapps/verify_student

Updated edx-enterprise version to 3.21.0

Mergeback PR from private to public.

Incident Management Security Fix 13

This change associates users signing in using oauth providers when tpa is required, verifying that only a single database user is associated with the email.

For more information as to why this was added in a separate pipeline, check edx-platform#25935.

When a user logs out, there are warnings logged right now because the
session user_id mismatches(it becomes None on logout).  Previously we
would log the request mismatch on debug and the session mismatch as
normal.

This change will result in us logging nothing if the session change is
not abnormal.

[AA-727] Ensure that course staff can see course outline content when masquerading as a learner

This reverts commit 40878cd5.