feat: include refreshToken in manage-mfa redirect urlParams

[lwin-kyaw]

Jira Link

Description

This PR includes refreshToken in the loginConfig data, encrypted and stored in the session server.
The reason is when user tries to manage MFA in dashboard, we only store the accessToken in the session server, which is only sufficient to use within the accessToken valid window. After the accessToken is expired, the user in dashboard has no way to refresh the session and being logout (StorageManager, SessionManger were cleared too).

How has this been tested?

Screenshots (if appropriate)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

• My code follows the code style of this project. (run lint)
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.

---

Note

Medium Risk
Adds refreshToken to the manageMFA request payload that gets stored in the session server, expanding handling of sensitive credentials and increasing blast radius if storage/encryption or access controls are misconfigured. Functional scope is small and localized to the MFA management flow.

Overview
Updates the manageMFA flow to persist the current refreshToken alongside accessToken/sessionId by adding refreshToken to AuthRequestPayload and populating it from sessionManager.getRefreshToken() before storing the payload.

Also bumps the Vue example to @web3auth/auth 11.4.3 and refreshes package-lock.json metadata (several dependencies marked as peer).

^{Reviewed by Cursor Bugbot for commit e5c9d41. Bugbot is set up for automated code reviews on this repo. Configure here.}

[lwin-kyaw]

We should not include refreshToken in Auth storage.