feat(auth): implement Android refresh token handling and session management

- Added support for generating Android access tokens and managing refresh sessions in the auth endpoints.
- Implemented new tests for login, logout, and refresh functionalities specific to Android clients.
- Enhanced password reset logging with normalization and masking of email addresses.
- Created a new diagnostics endpoint for password reset attempts, including filtering and summarizing logs.
- Introduced a new utility for managing password reset logs with retention policies.
- Added tests for password reset log utilities to ensure proper functionality and privacy compliance.
- Updated WebAuthn configuration tests to validate origin handling for production and allowed origins.

tests/config-profile-endpoints.spec.ts

@@ -10,6 +10,7 @@ vi.mock('../server/utils/auth.js', () => ({
   writeUsers: vi.fn(),
   verifyPassword: vi.fn(),
   hashPassword: vi.fn(),
+  revokeRefreshSessionsForUser: vi.fn(),
   migrateUserRoles: vi.fn((user) => {
     if (!user) return user
     if (Array.isArray(user.roles)) return user
@@ -202,6 +203,7 @@ describe('Config & Profil Endpoints', () => {
       expect(result.success).toBe(true)
       expect(result.user.name).toBe('Max Neu')
       expect(authUtils.writeUsers).toHaveBeenCalled()
+      expect(authUtils.revokeRefreshSessionsForUser).not.toHaveBeenCalled()
     })
 
     it('prüft aktuelles Passwort bei Passwortänderung', async () => {
@@ -236,6 +238,7 @@ describe('Config & Profil Endpoints', () => {
 
       expect(result.success).toBe(true)
       expect(authUtils.hashPassword).toHaveBeenCalledWith(updatedPassword)
+      expect(authUtils.revokeRefreshSessionsForUser).toHaveBeenCalledWith('1', 'password_changed')
     })
   })
 })