Use expiration time in x-atomic HTTP authorization

Currently, in [HTTP auth](https://docs.atomicdata.dev/authentication.html#http-headers), we use the current timestamp and the server has a hard-coded max age for signed headers.

This gives no control to the client regarding how long a signature should be valid. We could invert this control by setting an `expiration` date instead of a `timestamp`.