Permanent Token Pollution

[hammy275]

Since permanent tokens literally last forever, we need to take some measures to prevent a giant amount of them from being generated. Ideas include:

• Allowing an auth flow of username/password --> temp-token --> comp-status requests, so people not using cookies on the web client don't need to worry about creating a ton of tokens. Note that on cookie switch, we should attempt to automatically delete our token.
• 1 permanent token per account. This way, the token represents the user, and can be deleted easily instead of guessing the token in the case of an attack on the user's permanent token.

[hammy275]

There should probably also be a rate limit (configurable, of course) for handing out permanent tokens, to prevent a bad actor from rapidly filling a hard drive or similar. This would not be implemented if we went with the 1 permanent token per account system.

[hammy275]

Added in commit https://github.com/hammy3502/comp-status/commit/d34ac7696d73b3e98d87473df7dbb382274f8f5d . Manual deletion of old perma-tokens from the db is required.