feat: implement long-term user login with refresh tokens

- Introduced a dual-token system for user authentication: a short-lived access token and a long-lived rotating refresh token.
- Created a new RefreshToken model to manage refresh tokens securely.
- Updated auth_api.py to handle login, refresh, and logout processes with the new token system.
- Enhanced security measures including token rotation and theft detection.
- Updated frontend to handle token refresh on 401 errors and adjusted SSE authentication.
- Removed CORS middleware as it's unnecessary behind the nginx proxy.
- Added tests to ensure functionality and security of the new token system.

backend/tests/test_reward_api.py

@@ -1,4 +1,5 @@
 import pytest
+from tests.conftest import TEST_SECRET_KEY, TEST_REFRESH_TOKEN_EXPIRY_DAYS
 import os
 from werkzeug.security import generate_password_hash
 
@@ -30,8 +31,9 @@ def add_test_user():
 def login_and_set_cookie(client):
     resp = client.post('/auth/login', json={"email": TEST_EMAIL, "password": TEST_PASSWORD})
     assert resp.status_code == 200
-    token = resp.headers.get("Set-Cookie")
-    assert token and "token=" in token
+    cookies = resp.headers.getlist("Set-Cookie")
+    cookie_str = ' '.join(cookies)
+    assert cookie_str and "access_token=" in cookie_str
 
 @pytest.fixture
 def client():
@@ -39,7 +41,8 @@ def client():
     app.register_blueprint(reward_api)
     app.register_blueprint(auth_api, url_prefix='/auth')
     app.config['TESTING'] = True
-    app.config['SECRET_KEY'] = 'supersecretkey'
+    app.config['SECRET_KEY'] = TEST_SECRET_KEY
+    app.config['REFRESH_TOKEN_EXPIRY_DAYS'] = TEST_REFRESH_TOKEN_EXPIRY_DAYS
     with app.test_client() as client:
         add_test_user()
         login_and_set_cookie(client)