fix: remove expiresIn from storageKeys and add some tests for coverage

[virdesai]

👍

Do you plan to address the case when starting passwordless flow for a user that does not exist (200 but no session in body) as well? https://lifeomic.slack.com/archives/C03AS9T658R/p1655755418666159

I could take it on if not

@jkdowdle so this part should address this from a warning popping up https://github.com/lifeomic/app-tools/pull/74/files#diff-6717c6b296146f63756ffb235fde533f221274ae1066c891d63b6381d9a1d47bR265-R266 . but I suppose this does bring up a point that we're not verifying the success of the API call and that means we're also not rejecting from here when invalid creds are used

[jkdowdle]

@virdesai 🤦 I see, I should have noticed how _store is then being used, this should work great for the use case I mentioned. I think in this case we want that api call to "appear" like it was valid

[github-actions[bot]]

:tada: This PR is included in version 3.0.2 :tada:

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot :package::rocket:

[loscm]

Requested review from a random @lifeomic/security team member, @bishopb, due to term: password.

This review is not blocking and is for broader awareness. Consider if this change requires deeper security review and ask when it is necessary.

• Automation | #pr-flagged-sec-review