The refresh token is usually valid for a year but it can be revoked at
any time. When we try to use it and it's expired, we should remove it
from the account record and notify the user. They can then refresh the
authorisation.
The provider name and uid are currently stored on the user model but
it's better to move them to their own table. They are only needed in
certain situations, only some users have an account and we are now
storing a lot more.
