on /medium/auth generates auth url, user_id, secret and on /medium/token return encoded token

[hyzhak]

Should return auth_url and auth_id.
auth_id must be used to get user's token.

Possible policy problem - any third party fellow could get any token by guessing auth_id. So our roll is to make this chance extremely low.

🚓

• encode token with secret which we return to user
• expose of token should be expired for example 1-2 minutes
• space of possible values of auth_id should be extremely large and hard to guess