Fix remember-me token resynchronization

[ruibaby]

What type of PR is this?

/kind bug

What this PR does / why we need it:

This PR adjusts persistent remember-me token validation so a request presenting the previous token value is treated as a stale-but-recoverable token instead of cookie theft.

When a remember-me token is rotated, another in-flight request, restored tab, or cached response can still present the previous token value. The previous token is already stored on the RememberMeToken extension, so accepting it preserves the intended rotation safety while avoiding false-positive CookieTheftException handling that deletes all remember-me tokens for the user.

When the previous token is accepted, Halo now writes the current remember-me token back to the response cookie so the browser can resynchronize.

Which issue(s) this PR fixes:

N/A

Special notes for your reviewer:

Validated against production logs showing a previous token value being presented after rotation and later treated as cookie theft. The change still rejects token values that match neither the current nor previous token.

This PR was prepared with AI assistance and reviewed locally.

Checks run:

./gradlew :application:test --tests "run.halo.app.security.authentication.rememberme.PersistentTokenBasedRememberMeServicesTest"
./gradlew :application:spotlessApply
git diff --check

Does this PR introduce a user-facing change?

Fixed an issue where remember-me authentication could incorrectly expire user login sessions after token rotation.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[f2c-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ruibaby for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 61.03%. Comparing base (42c374d) to head (b5d66b3).
⚠️ Report is 588 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #10015      +/-   ##
============================================
+ Coverage     59.55%   61.03%   +1.47%     
- Complexity     3812     4089     +277     
============================================
  Files           677      706      +29     
  Lines         23248    23768     +520     
  Branches       1500     1562      +62     
============================================
+ Hits          13846    14506     +660     
+ Misses         8764     8515     -249     
- Partials        638      747     +109     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.