db: add user credentials table and CRUD (ish) methods

Created by: LawnGnome

This splits the original campaign_user_credentials (née campaign_user_tokens) table out from the draft #15301 PR, and refactors the Go types and methods to fit into internal/db, since this is now going to be a more generic table so others can reuse it at a later stage.

It might be easiest to read this in conjunction with the high level plan for campaign user token support, if you haven't already, since that should fill in most of the blanks on usage.

Random notes on design decisions that might be considered "interesting":

• Although records can be uniquely identified by (domain, user_id, external_service_type, external_service_id), a bigserial field called id is still present to make addressing these records through GraphQL easier.
• Rather than separating create and update, the userCredentials type exposes an Upsert method, given the unique identifier noted above and the fact there's only one actual field that depends on it. This should align better with how we'll be using these records in practice.

This is also my first foray into the secret package, so if I'm misusing its encrypted field capabilities, now would be a good time to know that. 😬