Include expiry fields

[harmonherring-pro]

During the Github App User OAuth flow, the expires_in and refresh_token_expires_in fields are included in the successful response to indicate how long the access token and refresh token are live for. I'm building a tool and need access to these fields, so it seems to be appropriate to return them along with the token and refresh token.

[andyfeller]

@harmonherring-pro : Thank you for opening up this pull request! ❤️

I would like you to create an issue with any logs from OAuth device and/or web flow with GitHub.com before we proceed further.

The GitHub Docs on device and web state these fields are contained in responses, however a cursory GH_DEBUG=api gh auth login shows neither of those fields are provided in the final response:

$ GH_DEBUG=api gh auth login

...

> POST /login/oauth/access_token HTTP/1.1
> Host: github.com
> Content-Length: 149
> Content-Type: application/x-www-form-urlencoded

client_id=178c6fc778ccc68e1d6a&device_code=4bacaf84c1fbdf7d3f094b9973673542c314ef19&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Adevice_code
< HTTP/2.0 200 OK
< Cache-Control: max-age=0, private, must-revalidate
< Content-Length: 208
< Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' ...
< Content-Type: application/x-www-form-urlencoded; charset=utf-8
< Date: Tue, 05 Aug 2025 12:17:51 GMT
< Etag: W/"ddc6411a4610fbc6848540d812a15c5a"
< Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
< Server: github.com
< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
< Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
< X-Content-Type-Options: nosniff
< X-Frame-Options: deny
< X-Github-Request-Id: FDC6:1FF4E9:354C1AC:4804C19:6891F66A
< X-Xss-Protection: 0

error=authorization_pending&error_description=The+authorization+request+is+still+pending.&error_uri=https%3A%2F%2Fdocs.github.com%2Fdevelopers%2Fapps%2Fauthorizing-oauth-apps%23error-codes-for-the-device-flow
* Request took 46.022959ms
* Request at 2025-08-05 08:17:56.626028 -0400 EDT m=+32.353857001
* Request to https://github.com/login/oauth/access_token
> POST /login/oauth/access_token HTTP/1.1
> Host: github.com
> Content-Length: 149
> Content-Type: application/x-www-form-urlencoded

client_id=178c6fc778ccc68e1d6a&device_code=4bacaf84c1fbdf7d3f094b9973673542c314ef19&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Adevice_code
< HTTP/2.0 200 OK
< Cache-Control: max-age=0, private, must-revalidate
< Content-Length: 113
< Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' ...
< Content-Type: application/x-www-form-urlencoded; charset=utf-8
< Date: Tue, 05 Aug 2025 12:17:56 GMT
< Etag: W/"9a700289a43cd48503d2cb7fb2f0ef81"
< Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
< Server: github.com
< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
< Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
< X-Content-Type-Options: nosniff
< X-Frame-Options: deny
< X-Github-Request-Id: FDC6:1FF4E9:354DA72:4806F35:6891F66F
< X-Xss-Protection: 0

access_token=gho_...
* Request took 123.731209ms
* Request at 2025-08-05 08:17:56.750421 -0400 EDT m=+32.478248876
* Request to https://api.github.com/graphql

I'm unsure if this is intentional from GitHub OAuth flows, but I don't think these changes would work as expected. Additionally, we would really love tests with any contribution. 🙇