(feat) allow the api-server to impersonate an account to gateway (#802)

re https://github.com/overmindtech/workspace/issues/792
- gateway records impersonation for websockets ✅
- sdp-go middleware  records impersonation for http ✅
- deploy allows api-server to perform scopes needed for queries and
snapshots on gateway, ✅
- api-server has a helper method for impersonating an account.
changeAnalysis uses it ✅

GitOrigin-RevId: 1c58a14cb3e984345c8897e59b1bd4a09be47c1b

Author: tphoney

sdp-go/middleware.go

@@ -334,9 +334,17 @@ func ensureValidTokenHandler(config AuthConfig, next http.Handler) http.Handler
 			attribute.String("ovm.auth.accountName", customClaims.AccountName),
 			attribute.Int64("ovm.auth.expiry", claims.RegisteredClaims.Expiry),
 			attribute.String("ovm.auth.scopes", customClaims.Scope),
+			// subject is the auth0 client id or user id
 			attribute.String("ovm.auth.subject", claims.RegisteredClaims.Subject),
 		)
 
+		// if its a service impersonating an account, we should mark it as impersonation
+		if strings.HasSuffix(claims.RegisteredClaims.Subject, "@clients") {
+			trace.SpanFromContext(ctx).SetAttributes(
+				attribute.Bool("ovm.auth.impersonation", true),
+			)
+		}
+
 		r = r.Clone(ctx)
 
 		next.ServeHTTP(w, r)