Unlink cleaned up access tokens from refresh tokens

[frankdekker]

Fixes issue: #247
Breaking changes: no

Changes AccessTokenManager::clearExpiredTokens to:

• Find all access token identifiers that have expired.
• Execute query to unlink these identifiers from possible refresh tokens.
• Thirdly delete the access tokens with those ids.

This order ensures that at no point in time there's a refresh token with an invalid access token reference.

Testing

There was already an existing unit test testing the above scenario but didn't trigger the issue because the entity manager wasn't cleared (and the test ran against the EntityManager memory instead of the database). As soon as I added the $em->clear() to the test the scenario above occurred. As the original object compare doesn't work anymore as the refresh tokens are actually retrieved from the db instead of the entity manager memory, the DateTime values and object references differ. The test now should find all unlinked refresh tokens.

Technical choices

Looking at the relation between RefreshToken and AccessToken, the relation is defined as SET TO NULL when the access token is deleted. However as the access tokens aren't deleted through the EntityManager this SET TO NULL is never triggered. An alternative implementation would be to retrieve all the expired AccessTokens and delete them through the EntityManager. However I think performance wise this will not be quick.