Prevent "invalid token" from being blocking

[br41nslug]

Scope

What's changed:

• The verifySessionToken function now throws a "InvalidCredentials" error to be consistent with the rest of the authentication middleware
• The session cookie will now be deleted if it's found to be invalid allowing a frontend to send you back to the login screen.

Potential Risks / Drawbacks

• This solution feels like the simplest one, instead of throwing an error and leaving the end user in an error state requiring manual intervention to recover (clearing cookies)

Review Notes / Questions

• I would like to lorem ipsum
• This PR complements Fix race condition for concurrent /auth/refresh calls #22433 or Add mutex for app token refresh #22457, one of which will tackle the underlying issue
• As a follow up to the security fix Improved session token validation #22353 (GHSA-g65h-35f3-x2w3)

[changeset-bot]

⚠️ No Changeset found

Latest commit: 0ea71f2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[licitdev]

Should we add a reason on the login page similar to /admin/login?reason=SESSION_EXPIRED?

[hanneskuettner]

Nice tests!

LGTM 🎸