[Multi-Tenant] Use http-signatures to determine tenant identity during requests

[njlie]

During tenanted Admin GraphQL requests, the server should leverage the existing http-signature signing scheme to determine if the requester is a particular tenant. This should be achieved through the following:

• GraphQL requests should be augmented with a tenantId in the header.
• A middleware on the Admin GraphQL server should use this header to retrieve the apiSecret on the associated entry in the tenants table.
• This middleware should then construct a signature with the apiSecret it retrieved and either accept or reject the request based on if the signature is valid.
• If the request is accepted, the subsequent business logic should use the tenantId provided in the header as part of its input.

We might want to also allow signatures generated using the ADMIN_API_SECRET environment variable to be used as valid authentication, as way for operators to identify themselves.

• Update Admin API middleware to expect tenantId in header during request
• Update Admin API middleware to call signature verification method that constructs signature from a tenant's apiSecret, throw if invalid

Prerequisites:

• [Multi-Tenant] backend tenants table #3103