JWT Blacklisting, Token Revocation

[matoszz]

As a part of another PR it was noted that the EndImpersonation handler did nothing but log the request for ending the session, but didn't actually do anything - after thinking through this, I realized that one of the underlying lacking capabilities available in this library would be JWT Blacklisting + token revocation. Because we cannot modify a jwt after it's been issued (e.g. like expire the issued token) the available method(s) to initiate a revocation and stop the use of the token is to leverage what's called a "blacklist" (the alternative being a whitelist). Because the list of tokens we'd actually force-revoke should always be relatively small, it's not a ton of overhead add verification checks to our code to ensure it's not a part of the blacklist. The inverse method would be to track all issued, valid, tokens and confirm the token is inside of that last list which seemed to have much more strict data durability requirements than a blacklist since in a blacklist situation, if our redis cache were down, we can fall back to the fact the issued token will naturally age out (and should have a short life to begin with). In addition to blacklisting capabilities, this PR also:

• Added ability to suspend users and automatically revoke all their tokens
• Should only require us to store in the blacklist tokens revoked within the rolling period of the token life
• Shortens overall impersonation token lifetimes
• Weak RSA Key Fixes - Upgraded all test RSA keys from 1024-bit to 2048-bit minimum
• Fixed MustRefreshTokenFromContext to use correct type
• Cookie simplification; created a new single, clean NewCookie() implementation and cut the existing lines of code in ~half
• URLToken simplification; refactored to remove duplicated logic and redundant configuration
• Better overall test coverage for sessions and token packages

Other misc:

• default silent task for echo'ing task list without a failure
• version updates / dependency updates
• added build branch to the buildkite badge for the repo
• more consistently used assert in preference over require in tests

[golanglemonade]

Nice - only a few nits; looks like there are breaking changes from the exported Verify -> Validate functions, can you make sure this is tagged as minor bump?

[sonarqubecloud]

Quality Gate failed

Failed conditions
6.7% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud