Better authentication

[nleroy917]

I think that the PEPhub authentication flow could be improved for slightly better security and ergonomics. Right now we mint a single JWT and then store it in localStorage. The JWT is valid for ~3 days. Its actually quite insecure to store JWTs in localStorage and its even more insecure to have a JWT last that long as it enables you to impresonate that individual for as long as its valid.

PEPhub isn't storing any crazy sensitive information so its probably fine as a first-pass.. but with a bit more work we can probably make it a lot more secure using a JWT + refresh token flow that stores them in httpOnly cookies instead of localStorage.

[nleroy917]

More specific about the technical details:

1. the auth/login endpoints would set cookies for the JWT + refresh token instead of returning the JWT. These would be httpOnly cookies.
2. The refresh token is stored in a database and points to a user and lets us know how long they are allowed to refefresh their JWT with that refresh token
3. we could use axios + withCredentials flags to send them automatically to the server with each request.
4. we could use axios interceptors to detect 401 responses and then resubmit any failed requests after refreshing the tokens
5. /auth/logout just removes the cookies from the server/browser connection