Fix/issue 2359 secure session rotation

[Prateek2007-cmd]

Description

Resolves Issue #2359 (Long-Lived Access Tokens & Missing Revocation) and Issue #2360 (JWT Storage Vulnerable to XSS).

The legacy authentication pipeline suffered from multiple severe architectural flaws. It issued static, 7-day access tokens with no revocation mechanism, creating massive windows of vulnerability during a breach. Furthermore, it relied on the client to store these tokens in localStorage, making the entire session vulnerable to DOM-based XSS extraction.

This PR establishes a state-of-the-art, secure session management architecture using split-token HttpOnly cookies.

Changes Made

• Access Token Reduction: Dropped the access_token lifespan from 7 days to 15 minutes to violently shrink the window of compromise.
• Refresh Token Rotation: Introduced create_refresh_token (7 days) and a dedicated POST /api/auth/refresh endpoint to handle seamless background session extension without user interruption.
• HttpOnly Storage: Purged JSON token body responses and migrated token delivery to Response.set_cookie utilizing httponly=True, secure=True, and samesite="lax" parameters, effectively sandboxing tokens away from malicious JavaScript.
• Session Revocation: Implemented a POST /api/auth/logout endpoint to forcefully delete session cookies, providing immediate session termination.

Type of Change

• Critical Security Fix
• Architectural Refactor

[vercel]

@Prateek2007-cmd is attempting to deploy a commit to the janavipandole's projects Team on Vercel.

A member of the Team first needs to authorize it.