Give read-only access to any QR code links

[ml-evs]

QR code links should be accessible without login to datalab, with read-only access. Probably will need the following approach:

• datalab API stores a new kind of secret key to authenticated users that is infrequently rotated (perhaps just on server startup), with each one stored in the database.
• when generating QR code links, the app gets the latest secret key and encodes it as a token in the generated QR code link, along with the refcode and user in question.
• When visiting the link, the API gives access based on whether the token was once generated by datalab for that entry.

This is a bit insecure; a logged-in user as the key will be visible in network requests and could craft links for other entries, but perhaps this is functionality we want anyway wrt magic links! The only difference will be that the QRCode will be speicifcally encoded as a JWT with no baked-in expiry date.

Another issue is that JWTs might be too large to stuff into QR codes

cc @PeterKraus

[ml-evs]

Also possible, if we have enough "legacy" QR codes that want to use this functionality, the tokens can be injected where missing at the federation level, which could be a reasonable fallback for those that don't mind the additional transparency.

[PeterKraus]

Good idea. From the user perspective, it's like generating a "share link" (with read-only access) that looks like a QR code.

I suppose keeping the current functionality (i.e. encoding the refcode only) should remain an option, as there might be deployments where "unauthenticated" read-only QR codes are not wanted.

We can easily re-print the QR codes on our existing inventory, so don't worry about that.