Refresh tokens were not correctly moved to the rehydrated
device (similar to how the access token is currently handled).
This resulted in invalid refresh tokens after rehydration.

Introduced in #16240

The action for the task was only defined on the "master" handler, rather than the base worker one.

Adds both the List-Unsubscribe (RFC2369) and List-Unsubscribe-Post (RFC8058)
headers to push notification emails, which together should:

* Show an "Unsubscribe" link in the MUA UI when viewing Synapse notification emails.
* Enable "one-click" unsubscribe (the user never leaves their MUA, which automatically
  makes a POST request to the specified endpoint).

Enable additional checks & clean-up unneeded configuration.

Using the new `TaskScheduler` meant that we'ed create lots of new
metrics (due to adding task ID to the desc of background process),
resulting in requests for metrics taking an increasing amount of CPU.

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

During the UI auth process, avoid storing sensitive information
into the database.

This fixes a bug where we could get stuck re-requesting the device over
replication again and again.

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Similar to OIDC, CAS providers can now disable registration such
that only existing users are able to login via SSO.