Potential security issue: only redirect to HTTP URL in dev builds

[carreter]

While doing #5 , I noticed a potential security issue.

In handleLogin() in client/src/components/App.js, the redirect to Fireroad is passed a redirect=<url> query parameter. This URL is set to be via HTTP instead of HTTPS if the user's URL includes localhost:5000. I could potentially see this being a security risk if someone sneaks this string into the URL and then captures the Fireroad auth token via a man in the middle attack.

Regardless, this behavior should be configured via a build flag instead of trying to guess whether it's being run in dev. Will make a stacked PR on top of #5 that does this.