Context An Express API needs a secure authentication system using short-lived access tokens and long-lived refresh tokens. The Problem The current system issues access tokens with a 30-day expiry and no refresh mechanism, making token revocation impossible. Constraints Issue access tokens with a 15-minute expiry using jsonwebtoken. Issue refresh tokens with a 7-day expiry stored in an httpOnly cookie. Implement a /auth/refresh endpoint that rotates the refresh token on each use. Invalidate the old refresh token immediately after rotation. Expected Deliverable An Express authentication system with JWT access tokens, refresh token rotation via httpOnly cookies, and invalidation logic to prevent token reuse.