Fix auth token being deleted on mobile browser restarts

The auth token was issued without a Max-Age or an Expires field, making it a "session cookie" that gets cleaned up on browser restarts -- this was especially painful for mobile users where it's common for the app to be closed.

We fix this by adding a Max-Age field to match the JWT token validity.

Additionally, we increase the token validity from 4 weeks to 12 weeks. Given the verification method it's very unlikely (and it's no problem even if happened, at least for 3 months) for someone to lose access privileges when they could access it before.