This reduces the server time to compute the hash from 40ms to 5µs,
which should remove this as a noticable chunk of CPU time in production.
(An attacker who has access to our database will now need only 10^54
years of CPU time instead of 10^58 to brute force a token).
Release Notes:
- Improved sign in latency by 40ms.
* Use the impersonator id to prevent these tokens from counting
against the impersonated user when limiting the users' total
of access tokens.
* When connecting using an access token with an impersonator
add the impersonator as a field to the tracing span that wraps
the task for that connection.
* Disallow impersonating users via the admin API token in production,
because when using the admin API token, we aren't able to identify
the impersonator.
Co-authored-by: Marshall <marshall@zed.dev>
