Google sign in uses environment for API keys

[will-molloy]

Solution to #23 follow up PR to #64.

Change: get Google client and secret from environment rather than expose them in this public repository. The keys would then be set at deployment e.g. in Heroku or similar. Need #105 to really test this.

[softeng-701]

@wilmol please ask your team to review, thanks!

[will-molloy]

@softeng-701 fixed conflict and squashed. Ready for merge :)