Add SignalR Auth Refresh support to server and .NET client

[BrennanConroy]

Summary

Adds SignalR auth refresh support so clients can update authentication credentials for an active connection without reconnecting.

This is primarily for bearer-token scenarios where the access token used to establish the connection expires or rotates while the SignalR connection is still active (although cookies should also work assuming the cookie jar is updated). The feature adds a server refresh endpoint, client refresh APIs/options, negotiate metadata for token lifetime, and hub-layer user state updates so refreshed credentials can be reflected in authorization and user-targeted routing.

High-level flow

1. The server enables auth refresh with HttpConnectionDispatcherOptions.EnableAuthRefresh.
2. If the current auth ticket has an expiration, negotiate includes tokenLifetimeSeconds.
3. The .NET client exposes that initial lifetime and can either:
   • call HubConnection.RefreshAuthAsync() manually, or
   • configure automatic refresh through AuthRefreshOptions.
4. The client sends a POST to {hub-or-connection-url}/refresh?id={connectionToken} with freshly acquired auth credentials.
5. The server validates the refresh request using the endpoint auth metadata.
6. The optional OnAuthRefresh callback can accept or reject the refreshed principal.
7. If accepted, the connection principal and auth expiration are updated.
8. SignalR’s hub layer recomputes UserIdentifier, and rekeys Clients.User(...) routing when needed through the HubLifetimeManager, and publishes a new hub caller context snapshot for future hub work.
9. Existing in-flight hub methods keep the caller context they started with so they don't see a different User over the lifetime of the individual hub method call.

Server changes

• Adds an internal /refresh endpoint alongside the existing negotiate/connect/send/poll endpoints.
• Negotiation can include tokenLifetimeSeconds when auth refresh is enabled and the auth ticket has ExpiresUtc.
• /refresh rejects negotiate v0 connections because v0 has no private connection token (ConnectionId == ConnectionToken).
• Expired connections get an auth-refresh grace period before connection cleanup when CloseOnAuthenticationExpiration and auth refresh are both enabled.

Endpoint metadata / auth behavior

• The refresh endpoint is stamped with the same authorization metadata and endpoint conventions as the connection endpoint.
• OnAuthRefresh runs after the request has authenticated but before the connection user is replaced.
• If OnAuthRefresh returns false, the connection keeps its current principal.
• If OnAuthRefresh throws, the exception is allowed to propagate through normal ASP.NET Core server error handling.

Client changes

• Adds client auth-refresh options through AuthRefreshOptions.
• HubConnection.RefreshAuthAsync() delegates to the underlying transport auth-refresh feature.
• RefreshAuthAsync() fetches a fresh access token rather than reusing the access token cached when the connection started.
• The refreshed token is also cached for subsequent transport requests, so later Long Polling polls/sends use the refreshed credential.
• The client parses tokenLifetimeSeconds from refresh responses and uses it to schedule subsequent automatic refreshes.
• Automatic refresh is re-armed after reconnect.

Refresh URL behavior

• /refresh intentionally posts to the original configured client URL, not a negotiated redirect URL.
• This treats refresh as part of the application authentication plane.
• The request uses the private connection token as the id query parameter.

Hub-layer changes

• Adds overridable Hub.OnAuthRefreshedAsync().
• The hub layer subscribes to the connection user-update feature.
• When the connection user changes, SignalR recomputes the hub UserIdentifier.
• If the UserIdentifier changes, the lifetime manager is asked to rekey the connection before hub-visible state is published.
• If the lifetime manager cannot rekey a changed UserIdentifier, the connection is aborted rather than staying reachable under stale user-targeting state.
• Hub.OnAuthRefreshedAsync() is invoked after the connection user state has been applied.
• Hub.OnAuthRefreshedAsync() is serialized through ActiveInvocationLimit, so it interleaves with hub invocations according to MaximumParallelInvocations.

Hub caller context snapshots

• DefaultHubCallerContext now captures User and UserIdentifier as a snapshot.
• DefaultHubDispatcher captures one HubCallerContext per hub operation and uses that same snapshot for:
  • authorization,
  • hub filters,
  • HubInvocationContext,
  • and hub.Context.
• In-flight hub methods continue to see the old caller context after auth refresh.
• Hub methods that start after the refresh see the new caller context.

UserIdentifier rekeying

• Adds HubLifetimeManager.OnUserIdentifierChangedAsync(...).
• The default lifetime manager updates the connection's live UserIdentifier because default user targeting scans connection state.
• The Redis lifetime manager removes the old user subscription and subscribes the connection to the new user channel.

WindowsIdentity handling

• Explicit /refresh clones WindowsIdentity-backed principals before storing them on the connection.
• SignalR owns and disposes cloned identities when they are replaced or when the connection is disposed.
• Caller/request-owned WindowsIdentity instances are not disposed by SignalR.
• Long Polling's existing request-lifetime WindowsIdentity path is preserved to avoid SafeHandle disposal races.
• Tests cover clone/dispose behavior and disposal during connection cleanup.