Query Auth0 for accountLinkId in directives if missing

[Bouncey]

It is possible for clients to send a token for an existing user that does not have the accountLinkId, even though the user has one assigned to them and an entry in the database.

• User logs in/creates an account. The token sent to create the account has no accountLinkId
• As part of creating an account, we assign a uuid as the accountLinkId and update the user record held at Auth0
• Subsequent requests from this user still holds a token with no accountLinkId
• Here lies a potential never-ending loop of multiple accounts for the same user, until the user logs out and in again to gain their new token.

There is scope for setting the accountLinkId over in Auth0, so every token has an accountLinkId from the very first login.

Do we still need to handle the case for if we end up setting it here because it is missing? I think it would lead to some crappy UX having to invalidate the token and having new users log out and in again.

I am going to raise a PR that will add the current rules we have set in Auth0 to this repo. Just so we all have some visibility of them and what they are doing.

[Bouncey]

In looking into the accountLinkId issue , I found it was as simple as adding uuid() inside the rule, so I have. See #108 for details on the rule.

As always, I am open to changes.

We still need to discuss how we handle cases for if the accountLinkId is missing. This could happen if the incorrect scope was requested when logging a user in.