Improve auth security

We need to store refresh token in http-only cookie to prevent stealing it from LocalStorage by any script (for, example Editor tool from marketplace)

See https://gist.github.com/zmts/802dc9c3510d79fd40f9dc38a12bccfc