oauth.ClientSessionData.HostURL is not validated after first session
creation. If user switches the PDS while logged in, .HostURL will
still point to old PDS, showing account management options for tngl.sh
users. This can confuse users to accidentally put account in odd state
(activated in both PDSes)
Instead, always resolve Handles and PDS hosts on-demand. Technically
HostURL is used on creating authorized atpclient, but that's ok
because request to old PDS will reject the request.
Ideally we should revoke user sessions on #account event, indigo
currently doesn't support DID based revoking.
Signed-off-by: Seongmin Lee git@boltless.me