Use expiration time in x-atomic HTTP authorization

[joepio]

Currently, in HTTP auth, we use the current timestamp and the server has a hard-coded max age for signed headers.

This gives no control to the client regarding how long a signature should be valid. We could invert this control by setting an expiration date instead of a timestamp.