After successful login, we start a goroutine to handle refreshing the
session token in the background, with session expiry defined in
auth.ExpiryDuration.

To kill the goroutine cleanly at Logout, s.sessionCancelFuncs maintains
a map of did->cancelFunc which we look up and call at logout.

Accounting for this map getting cleared at program end, we restore a
token refresher at the *first* authenticated request using RestoreSessionIfNeeded
in the AuthMiddleware.

we want to enable proper rollback mechanism on knots to eventually