Now that we're using Garth pattern for authentication (#524) it seems possible to save a long lived access token. This opens a few possibilities:

1. Potentially do not need save users credentials with P2G, instead only supply them when we need to refresh the token
2. MFA users could also now take advantage of background syncing

Explore these options and see what is feasible.

• also see reference from Garmin Two-Step Verification Token? #570

Requirements:

1. P2G will use User Garmin credentials to get both an OAuth1 and OAuth2 token
   1. P2G will save the OAuth1 and OAuth2 tokens encrypted at rest
   2. OAuth1 token is expected to last 1year
   3. OAuth2 token is expected to last 24hr
   4. When the user changes their Garmin credentials, all saved tokens should be cleared
   5. When the user toggles 2FA enabled, all saved tokens should be cleared
2. If OAuth2 token exists and is not expired, P2G will use this token for Garmin requests
3. If OAuth2 token is missing or expired, P2G will attempt to refresh with OAuth1 token
4. If OAuth1 token is missing or fails to refresh, then P2G will fall back to Garmin signin flow using user credentials
5. During SignIn, if MFA is needed, the user will be prompted
6. If Sync is enabled, the Sync service will wait until the user has completed MFA flow atleast once and an OAuth2 token has been stored
   1. GUI's - user should be prompted to go through MFA flow when they enable Sync setting
   2. Console - user should be prompted to go through MFA before starting background sync

Out of Scope:

1. Fully removing dependency on users credentials - while this would be nice to do so that P2G did not ever save email/password, its a large lift to do this right now and requires re-thinking much of the p2g onboarding flow as well as handling scenarios when credentials do need to be asked for if tokens are lost or expired
2. GitHub Action - GHA does not support anyway to get user input during runtime, nor does it support saving data to disk, meaning the existing console support for MFA will not work. And once OAuth tokens are obtained, they cannot be saved by P2G. In order to support MFA, I believe I'd need to create some kind of multi-step "initialization" workflows that allow the user to get their OAuth tokens and then manually save those as secrets to the repo.