Ensure token refresh is always scheduled

[philippjfr]

There appears to have been an oversight in setting up token refreshes, in particular how/when refreshes are scheduled. In particular the _schedule_refresh function was only ever called when a user was either:

1. Visiting the application for the first time and going through the whole auth flow
2. Re-visiting the application for the first time after the tokens expired once
3. Returning to the application after both the access and refresh tokens expired

In the case where a user was revisiting the application after their token had already been refreshed once we did not schedule another refresh. If you revisited after a long time when your token was already expired you'd be forced through the auth flow again and everything would be fine too but if you got unlucky and visited while a refreshed token was stilled just barely valid you could end up with the token expiring without any refresh having been scheduled. Here we now ensure that we ALWAYS schedule the tokens to be refreshed.

Additionally we also now update the cookies when a user revisits the application ensuring that the access_token, oauth_expiry and refresh_token cookies reflect the latest refresh values. However if a token is refreshed while a session is running these cookies may still be out-of-date until the next time the user visits the application:

Fixes #6684