feat(M13-003): Implement refresh tokens with rotation and revocation

Implements OAuth2 refresh tokens following RFC 6749 with security best
practices:

- RefreshToken entity with TokenFamilyId for chain tracking
- Token rotation: old token revoked, new one issued on each use
- Token reuse detection: entire family revoked on reuse attempt
- Revocation endpoint following RFC 7009
- Audit logging for token issuance, rotation, and revocation events

Key features:
- SHA-256 hashed token storage
- "octr_" prefix for easy identification
- Configurable token lifetime (default: 30 days)
- Support for both public and confidential clients
- Scope preservation across token refresh

Author: Ibrahim5aad

src/Octopus.Server.App/Auth/OAuthTokenService.cs

@@ -69,11 +69,21 @@ string GenerateAccessToken(
     /// </summary>
     string GenerateAuthorizationCode();
 
+    /// <summary>
+    /// Generates a cryptographically random refresh token.
+    /// </summary>
+    string GenerateRefreshToken();
+
     /// <summary>
     /// Hashes an authorization code for storage.
     /// </summary>
     string HashCode(string code);
 
+    /// <summary>
+    /// Hashes a refresh token for storage using SHA-256.
+    /// </summary>
+    string HashRefreshToken(string token);
+
     /// <summary>
     /// Verifies a PKCE code verifier against a stored code challenge.
     /// </summary>
@@ -89,10 +99,25 @@ string GenerateAccessToken(
     /// </summary>
     int AccessTokenLifetimeSeconds { get; }
 
+    /// <summary>
+    /// Gets the refresh token lifetime in seconds.
+    /// </summary>
+    int RefreshTokenLifetimeSeconds { get; }
+
+    /// <summary>
+    /// Whether refresh tokens are enabled.
+    /// </summary>
+    bool RefreshTokensEnabled { get; }
+
     /// <summary>
     /// Gets the authorization code expiration time from now.
     /// </summary>
     DateTimeOffset GetAuthorizationCodeExpiration();
+
+    /// <summary>
+    /// Gets the refresh token expiration time from now.
+    /// </summary>
+    DateTimeOffset GetRefreshTokenExpiration();
 }
 
 /// <summary>
@@ -120,6 +145,10 @@ public OAuthTokenService(IOptions<OAuthTokenOptions> options)
 
     public int AccessTokenLifetimeSeconds => _options.AccessTokenLifetimeMinutes * 60;
 
+    public int RefreshTokenLifetimeSeconds => _options.RefreshTokenLifetimeDays * 24 * 60 * 60;
+
+    public bool RefreshTokensEnabled => _options.EnableRefreshTokens;
+
     public string GenerateAccessToken(
         string subject,
         Guid userId,
@@ -164,6 +193,29 @@ public string GenerateAuthorizationCode()
             .TrimEnd('=');
     }
 
+    public string GenerateRefreshToken()
+    {
+        // Generate a 256-bit random refresh token with "octr_" prefix for identification
+        var bytes = new byte[32];
+        using var rng = RandomNumberGenerator.Create();
+        rng.GetBytes(bytes);
+        var token = Convert.ToBase64String(bytes)
+            .Replace("+", "-")
+            .Replace("/", "_")
+            .TrimEnd('=');
+        return $"octr_{token}";
+    }
+
+    public string HashRefreshToken(string token)
+    {
+        // Use SHA-256 for hashing refresh tokens
+        // Refresh tokens are long-lived but single-use per rotation
+        using var sha256 = SHA256.Create();
+        var bytes = Encoding.UTF8.GetBytes(token);
+        var hash = sha256.ComputeHash(bytes);
+        return Convert.ToBase64String(hash);
+    }
+
     public string HashCode(string code)
     {
         // Use SHA-256 for hashing authorization codes
@@ -243,4 +295,9 @@ public DateTimeOffset GetAuthorizationCodeExpiration()
     {
         return DateTimeOffset.UtcNow.AddMinutes(_options.AuthorizationCodeLifetimeMinutes);
     }
+
+    public DateTimeOffset GetRefreshTokenExpiration()
+    {
+        return DateTimeOffset.UtcNow.AddDays(_options.RefreshTokenLifetimeDays);
+    }
 }