Revisit auth token refresh & expiry

[archived-m]

Mobile users should not have to log in as much as they have to. Check & follow best practices for authentication

[archived-m]

Mobile tokens should never expire or last for a very long time, so I'd set a request header in the mobile app that we verify server-side. We can then determine token expiry time based on who requested it.