Token Kicking #48
Description
Currently there is no way to kick tokens, as they are not stored server-side at all. When a token is received it is de-coded using the application secret and the user ID is pulled from it.
Tokens should be stored in a new collection, when a user auths then the token they are authing with must exist in the db or else the attempt fails. Allowing multiple tokens for a user is fine, in case they want to be logged in from multiple places at the same time.
When a user changes their password, all existing tokens for that user should be kicked.