auth: :reset_auth_header_expires_in/at options

thes new options allow the session to preemptively invalidate and discard the authentication header (x seconds after its first use).

mostly useful when the token generation is dynamic (or else it'd invalidate the token for nothing).

on the oauth plugin, the value of the "expires_in" field in the token response payload will be used to invalidate the access token ahead of time too.

made assignment/access to ivars a bit more thread-safe too.