Add per-namespace key support

[LucioFranco]

sqld only supports a single JWT verification key through either SQLD_AUTH_JWT_KEY or --auth-jwt-key-file.
Supporting per namespace JWT verification key would allow us:

• Invalidate tokens per namespace, without affecting other namespaces.
• Support true multitenancy, since different tenants must not share the keys that generate their tokens.

[athoscouto]

Bonus points if we support multiple keys per namespace.
The API could look like:

POST /v1/namespaces/$NAMESPACE/create
{
  ...
  "auth_jwt_keys": ["key1", "key2"]
}

Same thing for POST /v1/namespaces/$FROM/fork/$TO and POST /v1/namespaces/$NAMESPACE/config.

[athoscouto]

If we can't support multiple keys on the first iteration, no problem.
We should extend the API with the possibility of multiple keys in mind.
This means accepting an array of keys, not only a single one.

[athoscouto]

Supporting multiple keys per namespace would give us a lot of flexibility in our auth stack.
It would allow us to implement things like:

• Two-step (non-disruptive) token revocation.
  • First, add a new key. Then generate new tokens and replace them on your services. Then revoke the old key.
• Token for a group of namespaces.
  • To be able to use the same token for a set of databases, we just have to register the same public key for that set.
  • The cool thing is that this can be totally dynamic since we should be able to add/remove the key with just reconfiguring the database.
  • You can take namespace-specific tokens all the way to the front end with cookies, while the group ones are a secret on the backend.