feat(auth): Add JWT authentication for heartbeat endpoints (#228)

* Add JWT-protected heartbeat endpoint with organization validation

* Fix JWT audience to match token-exchange service

* Fix JWT claims extraction for ESP v1 (GAE Flex)

* Use portable JWT parsing with go-jose library

* Update heartbeat client to use JWT authentication

* feat(auth): add JWT token refresh for heartbeat connections

Implements automatic JWT token renewal before expiry to handle GAE's
1-hour connection limits. Includes comprehensive test coverage.

* update comment

* feat(auth): update handler to read ESPv1's custom header

* add debug logging

* fix(auth): parse claims as a JSON string

* use base64.StdEncoding

* restore expiry parsing from JWT

* Make tests table-driven

Avoids a nil pointer dereference error in Geo() (#227)

* Avoids a nil pointer dereference error in Geo()

There was a case in staging where Locate was returning this for a host:

  "neubot-mlab4-syd04.mlab-staging.measurement-lab.org": {
    "Health": null,
    "Registration": null,
    "Prometheus": {
      "Health": false
    }
  },

... this was causing a panic in Locate. This commit avoids this, and adds a new
unit test to be sure it working as intended.

* Fixes a few typos in a comment in Geo()

Avoids a nil pointer dereference error in Geo() (#227)

* Avoids a nil pointer dereference error in Geo()

There was a case in staging where Locate was returning this for a host:

  "neubot-mlab4-syd04.mlab-staging.measurement-lab.org": {
    "Health": null,
    "Registration": null,
    "Prometheus": {
      "Health": false
    }
  },

... this was causing a panic in Locate. This commit avoids this, and adds a new
unit test to be sure it working as intended.

* Fixes a few typos in a comment in Geo()

Add -early-exit-clients command-line flag (#223)

* Add -early-exit-client command-line argument.

* Make flag configurable via cloudbuild vars

* Use consts for early exit parameter and value

Update cloudbuild config to allow setting IP-based config from env (#221

)

* Update cloudbuild config to allow setting IP-based config from env

* Get artifact project from an env variable

* use _ prefix

Update rate limiter to have different configurable limits for IP-only…

… and IP+UA (#219)

Make rate limiter parameters configurable via CB (#217)

* Add two more variable replacements in cloudbuild.yaml

* Add vars to app.yaml

Merge pull request #216 from m-lab/sandbox-roberto-metrics

Add metric to track rate-limited clients by client_name

Enable rate limiting (#214)

* Actually block when IP+UA is rate limited.

* Add tests for the rate limiter code paths

Do not automatically promote after deployment in mlab-ns (#213)