Perform node.IsTagged() check in /authorize

[itsvs]

This PR is a replica of tailscale#160 for this fork.

Currently the /authorize handler happily issues an auth code for tagged nodes. Since tagged nodes represent no user identity, token exchange for these codes later (correctly) fails.

This is fundamentally an authorization validation step. A tagged node is essentially not able to identify itself, so it is poor OAuth practice to issue an auth code for it. The service already looks up node information while handling /authorize, so it should detect tagged nodes up front and prevent them from being used.

This PR adds a check to /authorize to redirect with error=access_denied if a tagged node is detected. This way, the OAuth client need not go through token exchange when the node is not authorized.

This PR also makes a few improvements to the testing flow. Specifically, it:

1. makes it possible to mock .WhoIs responses from the local client, by representing the client as an interface rather than the *local.Client type
2. adds a test case to token_test.go to check tagged nodes during the /token endpoint
3. adds test cases to authorize_test.go to check tagged nodes, stop on .WhoIs errors, and check the happy path

Happy to discuss further or iterate over this PR if desired! Beyond the test updates here, I also ran this locally and performed a basic check that it works as expected (untagged nodes are unaffected, tagged nodes return the right redirect on /authorize).