Revamp device auth schema

The `device_auth_request` records should be short-lived, and probably have `user_code` as their primary key. On verification & token grant, relevant info should be transferred to the new `device_access_token` record and the `device_auth_request` record deleted.