Implement Token Refresh and Persistent Session Management

Problem/Feature Description

A SaaS company's Fastify application uses OAuth to let users log in via a third-party identity provider. Users are complaining that they get logged out too frequently — access tokens expire after one hour, and the app currently has no way to silently renew them. The backend engineer needs to implement a token refresh mechanism that keeps users logged in seamlessly.

The identity provider supports refresh token rotation: every time a refresh is used, the provider returns both a new access token and optionally a new refresh token. The app currently stores tokens server-side. The team is also concerned about secure token storage because a recent internal review flagged that tokens might be exposed to client-side JavaScript.

Output Specification

Produce a TypeScript implementation with the following files:

• lib/tokenRefresh.ts — a function that accepts a Fastify instance and a refresh token string, calls the OAuth provider to obtain new tokens, and returns the new access and refresh tokens
• routes/refresh.ts — a Fastify route (POST /refresh) that reads the stored refresh token, calls the refresh function, updates the session, and responds with success

The session and cookie configuration should be visible in the route or a referenced setup file.

No need to start a server or connect to a live identity provider. Produce only the source files.