Security hardening: lock down /token endpoint, hide secrets, modernize runtime

[Somnath-ProtectAI]

This service is the bridge that lets users log into huntr with their GitHub account.

What this fixes:

• The /token endpoint was open to anyone on the internet — now only Cognito (our login system) can call it.
• The signing key and GitHub secret were visible in the AWS console / CloudFormation — now masked with NoEcho.
• Lambda was on Node 14 (end-of-life, AWS won't even let us deploy it anymore) — bumped to Node 20 along with GitHub Actions.
• Old axios / jsonwebtoken libraries with known CVEs — upgraded.
• Login URL parameters weren't escaped — now properly encoded.
• Debug logs were printing access tokens and the client secret — now redacted.

No behaviour change for users. No new secrets or AWS config needed — merge and CI deploys.

⚠️ Note for future secret rotation: if GH_CLIENT_SECRET is ever rotated, also update it in AWS Cognito → huntr pool → Social providers → GitHub → Client secret (see comment in scripts/deploy.sh).