Implement refresh tokens

[cheehongw]

Currently, AUTH_SESSION tokens will expire after 1hr. If a currently authenticated user is working on the code-editor for more than an hour, they might become unauthenticated when a request is made to a protected route.

We require a mechanism to refresh the AUTH_SESSION token. For a start, here is what chatgpt suggests:

Implementing refresh tokens is a bit more involved than simply using an access token because it requires maintaining a record of the refresh tokens that are issued, handling their revocation, and managing their longer lifecycles. However, they are crucial for enhancing security and user experience.

Here's a high-level overview of the process, followed by a more detailed walkthrough:

High-Level Overview:

1. Issue Access and Refresh Tokens: Upon successful authentication, both an access token (short-lived) and a refresh token (longer-lived) are generated and sent to the client.
2. Store Refresh Tokens: Refresh tokens are stored server-side (database, cache, etc.) with metadata (user ID, issuance date, expiration, etc.).
3. Use Access Token for Authorization: The client sends the access token with each request for accessing protected resources.
4. Access Token Expires: Once the access token expires, the client can't access protected resources.
5. Request New Access Token with Refresh Token: When the access token expires, the client sends a request with the refresh token to get a new access token.
6. Validate Refresh Token: Before issuing a new access token, the server validates the refresh token against the stored tokens.
7. Issue New Access Token: If the refresh token is valid, a new access token (and possibly a new refresh token) is sent to the client.
8. Handle Refresh Token Expiry/Revocation: If a refresh token is expired or revoked, prompt the user to re-authenticate.