Fix app permissions (#3227)

* Fix app permissions

As pointed out by @nicolasdorier [here](https://github.com/btcpayserver/btcpayserver/pull/3205#issuecomment-999437555).

* Fix for login codes view

* Ensure app belongs to store

BTCPayServer/Security/CookieAuthorizationHandler.cs

@@ -66,8 +66,15 @@ namespace BTCPayServer.Security
                 if (routeData.Values.TryGetValue("appId", out var vAppId))
                 {
                     string appId = vAppId as string;
-                    app = await _appService.GetApp(appId, null);
+                    app = await _appService.GetAppDataIfOwner(userId, appId);
-                    storeId ??= app?.StoreDataId;
+                    if (storeId == null)
+                    {
+                        storeId = app?.StoreDataId;
+                    }
+                    else if (app?.StoreDataId != storeId)
+                    {
+                        app = null;
+                    }
                 }
                 // resolve from payment request
                 if (routeData.Values.TryGetValue("payReqId", out var vPayReqId))

BTCPayServer/Views/Manage/LoginCodes.cshtml

@@ -1,6 +1,6 @@
 @model string
 @{
-    ViewData.SetActivePageAndTitle(ManageNavPages.LoginCodes, "Login codes");
+    ViewData.SetActivePage(ManageNavPages.LoginCodes, "Login codes");
 }
 <h2 class="mb-4">@ViewData["Title"]</h2>
 <p>Easily log into BTCPay Server on another device using a simple login code from an already authenticated device.</p>