fix(oauth): unset expiresAt on access token during code exchange

Auth codes are created with expiresAt = now + 10min. The updateOne that
sets the access token on code exchange was missing $unset: { expiresAt: "" },
so the 10-min TTL survived onto the access token. Token middleware rejects
any token where expiresAt < now, causing Phanpy and all Mastodon clients
to be forced to re-login every 10 minutes.

The refresh_token rotation path already had this $unset correctly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

lib/mastodon/routes/oauth.js

@@ -610,6 +610,7 @@ router.post("/oauth/token", async (req, res, next) => {
           refreshToken,
           refreshExpiresAt: new Date(Date.now() + REFRESH_TOKEN_TTL),
         },
+        $unset: { expiresAt: "" },
       },
     );