Add API for personal / group / project access token rotation
Follow-up on Spike - Token rotation (#387606 - closed). We completed a spike on personal / group / project access token rotation. We decided on the approach that supports various security features. This issue is to add those API endpoints with the following requirements:
- When an expiring token is used to get a new token using the token rotation endpoint, the former (expiring token) needs to be revoked before creating the latter (new token)
- Short expiration time (a week?) since users can always exchange an expiring access token for a new access token using this token rotation endpoint
- Only an expiring token can be used to get a new token. Using an expired token to get a new token must not work