* Move access/refresh tokens to secure cookies (#20779)
* feat: adds the `credentials: include` header to all manual requests
* feat: adds `credentials: include` as a configurable option to xhr requests (and sets it by default to true)
* feat: configures the auto-generated fetch client from hey-api to include credentials by default
* Add OpenIddict handler to hide tokens from the back-office client
* Make back-office token redaction optional (default false)
* Clear back-office token cookies on logout
* Add configuration for backoffice cookie settings
* Make cookies forcefully secure + move cookie handler enabling to the BackOfficeTokenCookieSettings
* Use the "__Host-" prefix for cookie names
* docs: adds documentation on cookie settings
* build: sets up launch profile for vscode with new cookie recommended settings
* docs: adds extra note around SameSite settings
* docs: adds extra note around SameSite settings
* Respect sites that do not use HTTPS
* Explicitly invalidate potentially valid, old refresh tokens that should no longer be used
* Removed obsolete const
---------
Co-authored-by: Jacob Overgaard <752371+iOvergaard@users.noreply.github.com>
* Remove configuration option
* Invalidate all existing access tokens on upgrade
* docs: updates recommended settings for development
* build: removes non-existing variable
* Skip flaky test
* Bumped version of our test helpers to fix failing tests
---------
Co-authored-by: Jacob Overgaard <752371+iOvergaard@users.noreply.github.com>
Co-authored-by: Andreas Zerbst <andr317c@live.dk>
ba7d550a74