`session/refresh` fails when session has expired

[isXander]

Please confirm the following.

• I checked the existing issues for duplicate problems
• I have tried resolving the issue using the support portal

Describe the bug

Sessions expire after 14 days (DB default), but a refresh mechanism exists with a 60-day window. This refresh endpoint is broken, because it attempts to fetch the user data from the session token, but this attempt fails due to session expiry.

This results in every 14 days, you're signed out.

If the original intention was that sessions should be refreshed when the session is still in-date. The fault is the frontend, which only attempts to refresh the session when a fetch has failed.

Code analysis

1. When issuing a new session, the DB defaults are used for expires and session_expires, which are 14 days and 60 days respectively (session_item.rs#L37, 20230628180115_kill-ory.sql)
2. The frontend calls /session/refresh inevitably when the 14-day window ends
3. The route handler attempts to get the user information from the Authorization header (the mra token) using get_user_with_headers
4. This call fails, because get_user_record_from_bearer_token fails, as it checks if the session has expired
5. Session refresh is never successful. User is forced to sign back in and generate a new session.

Additional observations

• Even if the refresh was successful and a new session is issued. The refresh_expires is issued with the same database default of 60 days from CURRENT_TIMESTAMP. This effectively makes this refresh expiry pointless, as it is always reset. Instead, the refresh_expires of the new session should match that of the old session.

I am completely happy to, and in fact would love to, contribute this fix myself via a PR. Please let me know if that is something you would accept!