feat(auth): support trusted device (#52)

New API to maintain sessions and devices:

- GET /api/private/admin/sessions
- DELETE /api/private/admin/sessions/{session_id}
- GET /api/private/admin/trusted-devices
- DELETE /api/private/admin/trusted-devices/{device_id}

Auth:

web clients request `/oauth/token` and `/api/v2/session/verify` with `X-UUID` header to save the client as trusted device.

---------

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

app/config.py

@@ -170,6 +170,11 @@ STORAGE_SETTINGS='{
         Field(default=1440, description="访问令牌过期时间（分钟）"),
         "JWT 设置",
     ]
+    refresh_token_expire_minutes: Annotated[
+        int,
+        Field(default=21600, description="刷新令牌过期时间（分钟）"),
+        "JWT 设置",
+    ]  # 15 days
     jwt_audience: Annotated[
         str,
         Field(default="5", description="JWT 受众"),
@@ -349,11 +354,6 @@ STORAGE_SETTINGS='{
         Field(default=30, description="设备信任持续天数"),
         "验证服务设置",
     ]
-    location_trust_duration_days: Annotated[
-        int,
-        Field(default=90, description="位置信任持续天数"),
-        "验证服务设置",
-    ]
     smtp_server: Annotated[
         str,
         Field(default="localhost", description="SMTP 服务器地址"),