feat: implement long-term user login with refresh tokens

- Introduced a dual-token system for user authentication: a short-lived access token and a long-lived rotating refresh token.
- Created a new RefreshToken model to manage refresh tokens securely.
- Updated auth_api.py to handle login, refresh, and logout processes with the new token system.
- Enhanced security measures including token rotation and theft detection.
- Updated frontend to handle token refresh on 401 errors and adjusted SSE authentication.
- Removed CORS middleware as it's unnecessary behind the nginx proxy.
- Added tests to ensure functionality and security of the new token system.

backend/tests/test_image_api.py

@@ -5,6 +5,7 @@ import time
 from config.paths import get_user_image_dir
 from PIL import Image as PILImage
 import pytest
+from tests.conftest import TEST_SECRET_KEY, TEST_REFRESH_TOKEN_EXPIRY_DAYS
 from werkzeug.security import generate_password_hash
 
 from flask import Flask
@@ -38,8 +39,9 @@ def add_test_user():
 def login_and_set_cookie(client):
     resp = client.post('/auth/login', json={"email": TEST_EMAIL, "password": TEST_PASSWORD})
     assert resp.status_code == 200
-    token = resp.headers.get("Set-Cookie")
-    assert token and "token=" in token
+    cookies = resp.headers.getlist("Set-Cookie")
+    cookie_str = ' '.join(cookies)
+    assert cookie_str and "access_token=" in cookie_str
 
 def safe_remove(path):
     try:
@@ -67,7 +69,8 @@ def client():
     app.register_blueprint(image_api)
     app.register_blueprint(auth_api, url_prefix='/auth')
     app.config['TESTING'] = True
-    app.config['SECRET_KEY'] = 'supersecretkey'
+    app.config['SECRET_KEY'] = TEST_SECRET_KEY
+    app.config['REFRESH_TOKEN_EXPIRY_DAYS'] = TEST_REFRESH_TOKEN_EXPIRY_DAYS
     with app.test_client() as c:
         add_test_user()
         remove_test_data()