Cart token outlives cart

[monicavalluri]

When authorizing a view, the cart token that is given back has a default TTL of 3600 Seconds, however, the cart itself only is valid for 300 seconds or so.

The user would expect:

1. To get a token that gives them access to the cart
2. To use the token for the entire TTL of the cart token against the checkout API
3. When the cart token expires to be given a 401

This is related to #23

[monicavalluri]

@patmagee's comment: Also related to this., we should figure out the relationship between refresh tokens and the cart. If a user gets a refresh token after being authorized for specific resources, no access tokens generated with the refresh work with the cart endpoint. Should this be the desired behavior?