feat: add refresh callback to update token claims during refresh

[swalker326]

Summary

Adds an optional refresh() callback to the issuer configuration that allows updating token properties during refresh operations without requiring users to re-authenticate.

This addresses issue #275 where dynamic user attributes (permissions, roles, profile data) stored in external sources like Redis or databases could not be updated during token refresh.

Changes

• New refresh callback in IssuerInput interface - Optional callback that mirrors the success() callback pattern
• Integration with token refresh flow - The refresh callback is invoked during refresh_token grant type operations
• Backward compatible - When no refresh callback is provided, the original behavior of using cached properties is maintained
• Comprehensive test coverage - Added test to verify refresh callback updates token properties correctly

Usage Example

issuer({
  success: async (ctx, value) => {
    const user = await db.findUser(value.email)
    const permissions = await redis.get(`permissions:${user.id}`)
    return ctx.subject("user", {
      id: user.id,
      email: user.email,
      permissions,
    })
  },

  // NEW: Refresh callback to update dynamic attributes
  refresh: async (ctx, value) => {
    // Re-fetch permissions on every refresh
    const permissions = await redis.get(`permissions:${value.properties.id}`)
    return ctx.subject("user", {
      ...value.properties,
      permissions, // Updated value!
    })
  },
})

Test Plan

- All existing tests pass (28/28)
- New test verifies refresh callback is invoked with correct payload
- New test verifies updated properties appear in refreshed tokens
- TypeScript compilation passes with no errors
- Backward compatibility verified - existing behavior unchanged when callback not provided

Related Issues

Fixes #275