feat(auth): implement Android refresh token handling and session management

- Added support for generating Android access tokens and managing refresh sessions in the auth endpoints.
- Implemented new tests for login, logout, and refresh functionalities specific to Android clients.
- Enhanced password reset logging with normalization and masking of email addresses.
- Created a new diagnostics endpoint for password reset attempts, including filtering and summarizing logs.
- Introduced a new utility for managing password reset logs with retention policies.
- Added tests for password reset log utilities to ensure proper functionality and privacy compliance.
- Updated WebAuthn configuration tests to validate origin handling for production and allowed origins.

server/api/cms/users/deactivate.post.js

@@ -1,4 +1,4 @@
-import { getUserFromToken, readUsers, writeUsers, hasAnyRole } from '../../../utils/auth.js'
+import { getUserFromToken, readUsers, writeUsers, hasAnyRole, revokeRefreshSessionsForUser } from '../../../utils/auth.js'
 import { writeAuditLog } from '../../../utils/audit-log.js'
 
 export default defineEventHandler(async (event) => {
@@ -36,6 +36,7 @@ export default defineEventHandler(async (event) => {
     user.active = false
     const updatedUsers = users.map(u => u.id === userId ? user : u)
     await writeUsers(updatedUsers)
+    await revokeRefreshSessionsForUser(userId, 'account_deactivated')
 
     await writeAuditLog('cms.user.deactivated', {
       actorUserId: currentUser.id,
@@ -51,4 +52,3 @@ export default defineEventHandler(async (event) => {
     throw error
   }
 })
-