feat(api-auth): implement refresh token rotation and revoke

apps/api/.env.example

@@ -1,4 +1,5 @@
 DATABASE_URL="postgresql://postgres:postgres@localhost:5432/todolist?schema=public"
 AUTH_ACCESS_SECRET="dev-access-secret"
 AUTH_ACCESS_EXPIRES_IN_SECONDS="900"
+AUTH_REFRESH_EXPIRES_IN_SECONDS="2592000"
 AUTH_EMAIL_CODE_TTL_SECONDS="300"