Add verification for the Authorization header for incoming requests. The
defaults are to verify that the request is appropriately authenticated
with a Google service account corresponding to the API Gateway.

Expected issuer, authorised parties, issuer certificate URLs, etc can be
customised via settings. This is unlikely to be used in production but
is useful when combined with the API Gateway emulator for local
development.

Verification can be disabled entirely by setting an appropriately
dire-named setting.

Tests have been updated to exercise verification assuming that the
Google verification library works as documented.

Closes #4

Update (or, more correctly, create) the changelog in the process.