Auth: no refresh tokens — all users forced to re-login after 1 hour

[PythonFZ]

Problem

JWT access tokens expire after 1 hour (token_lifetime_seconds = 3600 in zndraw_auth/settings.py). There is no refresh token mechanism — when the token expires, the frontend 401 interceptor silently downgrades the user to a guest session instead of re-authenticating them.

Impact: Every registered user loses their authenticated identity after 1 hour and sees "Session expired — reconnected as guest". They must manually re-login.

Current flow

1. User logs in → receives a single JWT (access token, 1h lifetime)
2. Token expires → REST calls return 401
3. Axios interceptor catches 401 → calls acquireToken() → falls back to guest login
4. User is now a guest — no attempt to refresh the original session

Same issue affects Socket.IO reconnects and CLI token resolution.

Expected flow

1. User logs in → receives access token (short-lived, e.g. 15 min) + refresh token (long-lived, e.g. 7 days, httpOnly cookie)
2. Access token expires → 401 on REST call
3. Interceptor calls a /v1/auth/jwt/refresh endpoint with the refresh token → gets a new access token
4. Original request is retried transparently — user stays authenticated
5. Only when the refresh token itself expires does the user need to re-login

Key files

• src/zndraw_auth/settings.py:32 — token_lifetime_seconds = 3600
• src/zndraw_auth/users.py:98-105 — JWTStrategy (no refresh support)
• frontend/src/myapi/client.ts:115-141 — 401 interceptor (falls back to guest)
• frontend/src/utils/auth.ts:155-176 — acquireToken() (no refresh, just guest fallback)

Notes

• fastapi-users supports refresh tokens via a separate transport/strategy — this should be leveraged rather than building from scratch
• The refresh token should be stored as an httpOnly cookie (not localStorage) to limit XSS exposure
• Guest users are less affected since they just get a new guest session, but registered users lose room ownership, permissions, etc.