feat(auth): harden authentication with argon2 passwords and rotating hashed refresh tokens

ts_interfaces/data/loint-reception.loginsession.ts

@@ -1,15 +1,22 @@
 export interface ILoginSession {
   id: string;
   data: {
-    userId: string;
+    userId: string | null;
     validUntil: number;
     invalidated: boolean;
-    refreshToken: string;
+    /**
+     * legacy plaintext refresh token field kept so existing sessions can migrate on first use
+     */
+    refreshToken?: string | null;
+    refreshTokenHash?: string | null;
+    rotatedRefreshTokenHashes?: string[];
+    transferTokenHash?: string | null;
+    transferTokenExpiresAt?: number | null;
     /**
      * a device id that can be used to share the login session
      * in different contexts on the same device
      */
-    deviceId: string;
+    deviceId?: string | null;
     /**
      * Device metadata for session display
      */
@@ -18,7 +25,7 @@ export interface ILoginSession {
       browser: string;
       os: string;
       ip: string;
-    };
+    } | null;
     /**
      * When this session was created
      */