OAuth2 security fixes: redirect URI validation, "Mastodon-Local" security breach fix

Prior to this fix, POST /api/v1/apps could create "Mastodon-Local" app wth any redirect_uris (creator received client_secret in response) — this action doesn't require any authentication.

E.g.

curl --data "client_name=Mastodon-Local" --data "redirect_uris=https://hackyou.com" --data "scopes=read,write,follow" http://pleroma.dev:4000/api/v1/apps

{"website":null,"redirect_uri":"https://hackyou.com","name":"Mastodon-Local","id":"16","client_secret":"xz41G1Je49vpM5o5BfSzm9MxkGafHAWZ7cGsmDwurgo=","client_id":"9RMzL5ldu3r4o58PgL94VKia5C7kvE7wAp400XsJHUA="}

If the above happened before /web/login is accessed for the first time then Pleroma used this externally created record assuming the following: it's internally created, the redirect_uris is ., client_secret is not exposed (all in fact false in above scenario).

If the above happened after /web/login is accessed for the first, it will (just) break the bundled Mastodon FE since the code expects exactly one record with client_name: "Mastodon-Local".

This MR:

• prohibits creation of apps with name Mastodon-Local via POST /api/v1/apps.
• ensures that redirect uri coming from params to Pleroma.Web.OAuth.OAuthController.create_authorization is one of the URIs listed in redirect_uris of app record (assuming whitespace-delimited entries in this string field), as this check is a mandatory part of OAuth2.