Merge upstream HEAD (da6668b, 2024-01-02) for auth fix

[jmarshall]

The recently cherry-picked CVE-2023-51663 fix (PR #323) included refactored code dependent on recent upstream code that was not cherry-picked. This caused:

{"severity":"ERROR","levelname":"ERROR","asctime":"2024-01-03 01:59:09,079","filename":"auth.py",
"funcNameAndLine":"callback:341","message":"oauth2 callback: could not fetch and verify token",
"exc_info":"Traceback (most recent call last):\n
File \"/usr/local/lib/python3.9/dist-packages/auth/auth.py\", line 335, in callback\n
    flow_client = request.app[AppKeys.FLOW_CLIENT]\n
NameError: name 'AppKeys' is not defined",
"hail_log":1}

Context: https://centrepopgen.slack.com/archives/C030X7WGFCL/p1704243108737559

This merges current upstream HEAD to include the necessary AppKeys class (see auth/auth/auth.py) and any unrelated fixes and improvements.

Merge conflicts resolved included letsencrypt/subdomains.txt, in which we omitted upstream's addition of guide-analysis which is specific to their lab.

[jmarshall]

Yep, I was just looking at the batch/sql/rename-job-groups-tables.sql migration script, which will be interesting to observe running…