Revisit use of Cookies for JWT tokens

[damianmoore]

django-graphql-jwt sets it's tokens as cookies by default. We don't have any Cross-Site JS in use but avoiding cookies or setting SameSite as described by Hasura could give us extra protection. We can store the access token in local memory and send it as an Authorization header using Apollo Links. It could also save us bandwidth by limiting what requests send the JWT token.