feat(settings): add admin switch for debugging boxes

fix(viewsqlite): only admins

This changes handling our authentication via Catchpoint's OpenID-based
service.

- Introduces the library RandomLib (and its deps) for random string
generation for nonces and code verifiers
- Starts obscuring our cookie names via a hash and secret key. It's a
  bit of security through obscurity and it's not 100% great, but it's an
  additional line
- Moves GetServerSecret's implementation to Util so I can use it within
  a Util setting
- Creates an OAuth class tucked into the WebPageTest\Util namespace.
  This will likely change.

setting a cookie in one file does not mean it will be accessible with
$_COOKIE in the same request. Let's add some state management within the
client itself.

We switched the way we do login to work with the Catchpoint OAuth. This
also involved obscuring some cookie names.

I also cleaned up some of this code

When a user's token has been revoked/is bad, but we still have it, we
get into a state of endless redirects

What if the cookie is not set, but somebody POSTs to logout anyway? Just
go ahead and don't bother calling it.

What if the token is bad, but we want the user to have a nicer
experience? Let's not just log them out, let's retry!

Following conventions of PSR-12 for some existing things

Also rewrite some tests to make sure they pass with the changing in
functionality

feat(login): login with openid auth code flow

Allow for the extensions cache time to be configured in settings

This is a fix, for now

fix(admin): this needs to use the global admin