Use pass auth/session ID to AuthUser instead of username

[McSinyx]

From quart-auth's docs:

The auth_id is a str [...] allow for uuids to be used (or something else) [...]. The auth_id is so called, rather than being called a user_id to discourage the use of the user’s ID. This makes it easier to revoke the quart-auth session, as to do so the auth_id must be marked as invalid which would require disabling the user’s account if the user’s ID was used.

I was aware of this when I was implementing, but a few unsolved questions prevented me from following the guideline:

1. When and why do we need to revoke a session?
2. How do we blacklist the auth_id? In the database?
3. If auth_id is used to identify the User, need we keep a mapping to the actual username?
4. Since both data in (2) and (3) are ever growing as people logout and login again, how do we garbage collect them?

Probably I should ask Philip Jones instead but if anyone has any insight, feel free to share.

[Huy-Ngo]

This makes me think of the use of JWT/token (See: Blacklist and Token Revoking, Refresh Token Rotation). It's prob not the same thing tho, and take my replies with a grain of salt:

1: If it's like token, usually after a few minutes to few hours; if it's like refresh tokens, it can be weeks to months.
2, 3: Yes, and Flask-JWT-Extended recommends redis (not sure if it's the best in our case tho)
4: We can use a cron job to delete ones older than a year.