Token refresh

- store encrypted refresh token on database
- opt1: change all responses to include data & token, so a token is always sent back if possible
- opt2: implement a /refresh endpoint where the app can try to exchange an expired id token for a new one