Short lived and one-time-use tokens for authentication endpoints

[fisher60]

Summary

When a service attempts to login with abandonauth, they are given a temporary token that is used to identify them on the respective service. This token is currently a regular JWT with a relatively long lifetime, it can also be used multiple times to authenticate a single user. This is a security vulnerability. The token should be as short lived as possible and also only be valid for a single use.

Acceptance Criteria

• Temporary JWTs have a very short lifespan, no more than 60 seconds
• We cache all the currently issued, valid and unused tokens on abandon auth
• An endpoint exists to check that a given token is in this cache of valid/unused tokens
• An endpoint exists to burn short-lives tokens (pop them from the cache of valid tokens)
  • This allows a service to call the endpoint and burn a token that is known to be consumed
• Garbage collector exists to remove all unused and expired tokens from this cache
  • This is to prevent the cache from becoming a memory leak

[fisher60]

addressed in #13

But due to config issues, we are unable to set the lifespan of the JWT to be short lived in the deployment repo.

[fisher60]

We will expand this issue to make tokens truly one-time-use. We should force tokens to be invalidated after a single use to identify a user. This means the /me endpoint should burn a token when it is used to call this endpoint (if it is a temporary token).