Allow to emit the refresh token in the response body instead of a cookie

[sun]

Follow-up on https://github.com/usefulteam/jwt-auth/issues/1#issuecomment-895468941

Goal

• Add an option or constant to emit the refresh token in the response body instead of a cookie.

Details

• For security reasons with regard to web/browser clients, #33 implemented the refresh token only as a cookie.
• In cases where no web (browser) apps are involved (e.g. only native apps), it would be secure to emit the refresh token as part of the token response body.

Notes

• I have no use-case for this myself, so I will probably not implement it myself. PRs are welcome though.