This adds session refresh functionality to pgweb, as discussed in #799. Right now it's a bit of a hack, there's quite a few TODOs and FIXMEs, and there aren't any tests. But I figured I would throw up this draft PR to start getting eyes on it.

I went with adding a new session_expiry field that takes an RFC 3339 timestamp. Every minute on a background goroutine it checks all of the sessions and if any of them have expired it will refresh them.

There are some tradeoffs with this approach.

1. Each api.Session has a SessionRefresh callback that is used for the session refresh and initial session setup. This works well enough but it does make the callstack a little more complicated.
2. api.Session could potentially be rolled into client.Client but it seemed trickier than just a new struct. But if SessionManager isn't used then there has to be a different way that sessions are refreshed so it's a little weird right now.
3. Since session expiry is only checked once a minute you could end up in a situation where pgweb tries to use credentials that have already expired. An alternative approach could be to spin up a goroutine that sleeps until it is just the right time and then refreshes the credentials so there's no chance for expired credentials to ever be used, but that's a little more complicated than a for loop with time.Tick.
4. api.DbClient isn't used directly anymore and api.DbSession is used instead, but a pointer to the client.Client is kept in that variable. It's an exported variable so I wasn't sure how much we care about package API breaking changes.
5. On that note, there aren't any exported API breaking changes, but there are some weird inconsistencies as a result of that; for instance SessionManager.Sessions() returns a map of *client.Client and not *Session. If all of the refresh stuff was in client.Client then this wouldn't be an issue.

Again, just wanted to get this draft PR up. I'll keep iterating on it in the meantime. Let me know your thoughts on this approach.

Fixes #799