feat(keys): Update key stretching to optionally use session token on password change

[vbudhram]

Because

• Users and playwright tests might be running into the rate limit in stage and production
• We use the customs.check request (much stricter rate limit) in password change
  • This is used in key stretching upgrades, createing recovery key, so could in theory get trigger a lot

This pull request

• Updates the /password/change/start route to optionally use a session token and call customs.checkAuthenticated

Issue that this pull request solves

Closes: https://mozilla-hub.atlassian.net/browse/FXA-11060

Checklist

• My commit is GPG signed.
• If applicable, I have modified or added tests which pass locally.
• I have added necessary documentation (if appropriate).
• I have verified that my changes render correctly in RTL (if appropriate).

Other information (Optional)

@dschom I ended up making the session token optional in the backend, but updated all the front end bits to use session token. This seems like a reasonable approach since it won't require the FxA Python client to ugrade yet. I will file some tickets with what I found while working on this.

[dschom]

I'd be interested in recording a metric here to monitor when this endpoint is called without a sessionToken.

[dschom]

Shouldn't a sessionToken be passed in here? Is it getting added in some way that's not obvious? I see the customs check below, and apparently this passes?

[vbudhram]

Yea it isn't obvious, the credentials object will exist if there is a valid session token. Normally, Hapi populates it from the authorization header, but that gets skipped when doing unit tests.

[dschom]

Do we really want to suppress this?

[vbudhram]

In my testing it could fail to retrieve keys if not yet connected to redis. It would get called again on after the setTimeout. Figured this was fine since its only test code.

[dschom]

LGTM. I like this better!