Make it so you can opt out of object authorization

[rmosolgo]

Fixes #3429

I can't say I recommend it, but if it's really adding up, this makes it possible (and tested) to override Schema::Object.authorized_new and bypass authorization.

I also investigated an option for disabling built-in authorization at runtime, but I found it put too much complexity in the code (https://github.com/rmosolgo/graphql-ruby/compare/skip-built-in-auth).

Instead, this approach consolidates tracing and logic in .authorized_new, then tests to confirm that it can be overridden (including for DynamicFields, which implements __typename).

So, with this PR, you could opt out by adding:

class Types::BaseObject 
  # Normally, GraphQL-Ruby calls `.authorized?` before initializing this, 
  # but we want to bypass that 
  def self.authorized_new(obj, ctx)
    new(obj, ctx)
  end 
end 

and

class MySchema < GraphQL::Schema
  # Add a custom introspection module which will avoid `.authorized?` checks 
  # for __typename and __type(name: ...) fields
  module Introspection 
     class DynamicFields < GraphQL::Introspection::DynamicFields 
       def self.authorized_new(obj, ctx)
         new(obj, ctx)
       end 
     end 
   end 
   
   introspection(Introspection)
   
   # ... 
 end 

[bbugh]

Seems good to me!