Delete expired token on session refresh

[GeoffreyHuck]

Related to #1022

We delete the expired tokens of the user when a user's session is refreshed. This replaces the old rule that deleted all the tokens, even non-expired ones, except the one used to refresh (and the new one of course).

Note: we don't delete the expired tokens if there's an error during the refresh to avoid having weird side effects.

New query - No index required

That's the new query to delete the expired tokens:

DELETE FROM `access_tokens`  WHERE (session_id IN ((SELECT session_id FROM `sessions`  WHERE (user_id = 2764843483654638029)))) AND (expires_at < "2020-01-01 01:00:00")

• sessions.session_id is a primary key
• sessions.user_id is a foreign key
• access_tokens.session_id is covered by the existing index session_id_expires_at
• access_tokens.expires_at is covered by the existing index expires_at -> So there no need to add an index

Review

Easier to review all at once. Details are in commit messages.

[codecov[bot]]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 100.00%. Comparing base (21b116c) to head (644b514).

Additional details and impacted files

```diff @@ Coverage Diff @@ ## avoidSessionSpamming #1087 +/- ## ====================================================== Coverage 100.00% 100.00% ====================================================== Files 237 237 Lines 14359 14368 +9 ====================================================== + Hits 14359 14368 +9 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.