Small enhancements to auth system

[davenquinn]

After finishing #195, some minor enhancements to the auth system might be useful:

• refresh tokens should be generated at the same time login status is returned, for efficiency. This involves unifying the /refresh and /me routes to a /status route (/refresh should also be kept, either as a synonym or a route that only refreshes tokens without returning user info)
• small refactoring to unify token generation – it looks like the create_access_token function could be used to mint refresh tokens as well, with small modifications?
• We should remove the groups key from the token as I think it is outdated
• REDIRECT_URI_ENV should be renamed to OAUTH_REDIRECT_URI for parallelism
• Consider renaming the entire group of routes to /auth/... for clarity

Especially for the last few, we should have a transition period where both possible configurations are accepted (via redirects and fallbacks)...that should only take a few lines of code hopefully.