Require Accept headers in requests.

[Zegnat]

More strictly define the requests we expect clients to send to the endpoints, outside of just the (generally treated as non-normative) examples. This adds:

1. The requirement for an HTTP Accept header of application/json when redeeming the authorization code. This hopefully avoids new clients having problems with old authorization endpoints that could have answered with an application/x-www-form-urlencoded response.
2. The requirement for an HTTP Accept header of application/json when verifying a Bearer Token at the token endpoint.

As it ads language about the Accept header, it also clarifies the use of URL spec's application/x-www-form-urlencoded format and its matching Content-Type header to the redeem step.

Fixes #18. (I think.)

[aaronpk]

Do we know how many servers currently default to form-encoded responses still? I'm still on the fence about adding this since it's not a requirement of OAuth 2.0, and is really only needed for backwards compatibility with older IndieAuth clients. I think I would still like to make a push to update servers to default to the JSON responses instead.

[Zegnat]

I am not sure. Back in 2017 there was a discussion on Selfauth because of Telegraph not supporting JSON. But Selfauth has always preferred serving JSON over form-urlencoded unless a server specifically asked for form-urlencoded. And that was 3 years ago...

Selfauth does not currently answer when no Accept header is provided, I think. In that case it will throw an HTTP 406 Not Acceptable. But that is not really IndieAuth spec specific and just Selfauth being overly strict.

We may be talking about 2017 and earlier clients and servers here.