Move JWT to an httponly cookie

[mattkrick]

With recent changes to DomainJoins, we can no longer assume that team members & org members can trust each other. It's possible that a user gets unknowingly invited to a hacker's org. Once there, an attacker could XSS or use phishing attacks to gain access to the victim's JWT. To fix this, we need to get credentials out of reach from JS. We should've done this ages ago, but now it's a little more important.

AC

• [ ] Move the JWT from localStorage into an httponly cookie
• [ ] Consider replacing the JWT with simple token. Relying on tms isn't very valuable & we have to lookup the JWT to makesure it hasn't been blacklisted, anyways.
• [ ] fix places on the client that rely on tms since it will no longer be accessible