fix: expire authentication tokens

[moldach]

Summary

Add configurable expiration for authentication tokens issued by simple_login.

Tokens now expire after 30 days by default when authenticated through TokenAuthentication. Projects can customize this with:

• SIMPLE_LOGIN_TOKEN_EXPIRY = timedelta(...)
• SIMPLE_LOGIN_TOKEN_EXPIRY = <seconds as int>
• SIMPLE_LOGIN_TOKEN_EXPIRY = None to disable expiration

Expired tokens are deleted and rejected with AuthenticationFailed.

Closes #25.

Security relevance

Issue #25 notes that tokens should not have an unlimited lifetime. Enforcing a token TTL reduces the usefulness window of leaked, forgotten, or otherwise exposed credentials and forces periodic re-authentication.

Evidence

The existing Tokens model already stores created, so expiration can be enforced without a schema migration.

Tests

Added unit tests for:

• integer expiry values treated as seconds
• disabled expiry
• expired tokens
• recent tokens that should remain valid

Locally run:

python3 -m py_compile simple_login/utils/authentication.py simple_login/tests/*.py

I also attempted to run the Django test command, but full execution is currently blocked in this environment by existing dependency compatibility issues unrelated to this patch:

• the default settings expect ~/sample_config.ini
• the installed Django version no longer supports django.conf.urls.url
• modern Django/DRF reports an existing Tokens.key field clash with the base token model

Risk

Low. The change only affects token authentication. It defaults to expiring old tokens, while projects that need legacy indefinite tokens can explicitly set SIMPLE_LOGIN_TOKEN_EXPIRY = None.