feat(auth0-fastify-api): Add DPoP support on auth0-fastify-api

[nandan-bhat]

Summary

Adds DPoP (Demonstration of Proof-of-Possession, RFC 9449) support to @auth0/auth0-fastify-api. DPoP binds access tokens to a client's key pair, preventing stolen tokens from being replayed by attackers.

The SDK now automatically extracts the DPoP proof header, detects the authorization scheme (Bearer vs DPoP), and delegates full cryptographic validation to the underlying @auth0/auth0-api-js SDK.

Changes

• Plugin configuration: Added dpop option with mode (allowed | required | disabled), iatOffset, and iatLeeway settings.
• Token extraction: Recognizes both Authorization: Bearer <token> and Authorization: DPoP <token> schemes.
• DPoP proof forwarding: Extracts the DPoP request header and passes it along with httpMethod, httpUrl, and scheme to ApiClient.verifyAccessToken().
• Error handling: Properly surfaces InvalidDpopProofError (400), InvalidRequestError (400), and VerifyAccessTokenError (401) with RFC-compliant WWW-Authenticate challenge headers.
• Exports: Re-exports DPoPOptions, InvalidDpopProofError, InvalidRequestError, and VerifyAccessTokenError for consumer error handling.
• Documentation: Added DPoP sections to both README.md and EXAMPLES.md covering configuration, modes, error handling, timing, and MCD integration.

Configuration

fastify.register(fastifyAuth0Api, {
  domain: '<AUTH0_DOMAIN>',
  audience: '<AUTH0_AUDIENCE>',
  dpop: {
    mode: 'required',        // 'allowed' (default) | 'required' | 'disabled'
    iatOffset: 300,          // optional, default: 300
    iatLeeway: 30,           // optional, default: 30
  },
});

[kishore7snehil]

LGTM!