Support variable JWT session durations

[darrylkuhn]

This change introduces a runtime configuration variable httpd.token_duration which allows for variable JWT token durations specified as a number of minutes. If unspecified the token duration defaults to the historically hardcoded default value of 20 minutes.

[CLAassistant]

All committers have signed the CLA.

[drakkan]

Thank you for this contribution.

I agree that making JWT lifetime configurable is useful and I think we should implement what NIST recommends, thanks for sharing.

The allowed duration should not exceed 12 hours and we should also not automatically renew cookies older than 12 hours, regardless of user activity.

I think that to provide a useful feature for all use cases we should make it possible to have different configurable lifespans for at least the JWT/cookies used in web UIs and REST APIs. Allowing different lifespans for cookies for WebAdmin and WebClient could also be useful in some use cases but is probably overkill

We should also rework the middleware that automatically refresh cookies and the scheduling of the cleanup tasks.
Currently, if you update a user or admin, the cookie with the old permissions will continue to work for up to 20 minutes; once we allow a longer duration, we should no longer allow an old cookie to be valid for, say, 8 hours.

The first approach I tried was to make the duration configurable per-binding, but the resulting change seems too complex. I will try again in the next few days with a different global duration for REST API and WebUI.